From owner-freebsd-net@FreeBSD.ORG Wed Mar 5 00:01:27 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 242321065678 for ; Wed, 5 Mar 2008 00:01:27 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.191]) by mx1.freebsd.org (Postfix) with ESMTP id 9EF398FC14 for ; Wed, 5 Mar 2008 00:01:26 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by gv-out-0910.google.com with SMTP id n40so1238268gve.39 for ; Tue, 04 Mar 2008 16:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=+i/nULbpNZ/RPRdqN7uo7g6WovJ88pubzk0heEpJAqQ=; b=skfBc02JfnPWHzi20ouK8AbfWdf7gpc1xJxUTmCBRZ8PD5Yj/Ruxuc6Pxf4hQ+Cnmj6wuRGpHSbcSQGeXrffusNnac7KecxCZUwXzu4Hk12V4oke6BVF3hdrPL4wgOyC1A65ObevLhKWh3aw5EAwx/yimM5mMa457V/oCEHfnvk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KTuekWU9M7KXxY02UgfpvB3av9QrbelGyLTcInnVtDxvsfPRKoiBiXYWU4gQcz8jEmfu/9LNh7AznU5ABf0c5h7al+pNbDGRwlzJthHEtW34HvaqECwKcoUDDuSIrcdc4aXNiPU3d37/JPCW19Kag+O0FhFIjgA2ahBilpCyMjI= Received: by 10.114.95.1 with SMTP id s1mr773795wab.99.1204675282415; Tue, 04 Mar 2008 16:01:22 -0800 (PST) Received: by 10.115.14.11 with HTTP; Tue, 4 Mar 2008 16:01:22 -0800 (PST) Message-ID: <9e77bdb50803041601r9f687bfpe164f1b7b7d02719@mail.gmail.com> Date: Tue, 4 Mar 2008 17:01:22 -0700 From: "Cyrus Rahman" To: "Bjoern A. Zeeb" In-Reply-To: <20080304152255.M50685@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9e77bdb50803040649u1876d8d4l9f2b7a4cef5c4b5@mail.gmail.com> <20080304152255.M50685@maildrop.int.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: ipv6 + ah + esp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2008 00:01:27 -0000 > > Is there a known problem running ah+esp on ip6? I can set up an > > association and run ah+esp just fine on ip4, > > and ah or esp work well by themselves in ip6, but I've had no luck > > with combining them on ip6. > > 22 is EINVAL. > > The same error message is there twice in sys/netinet6/ip6_output.c > (search for "(ipsec)" w/o the ""). > > Could you alter them so we can tell them apart, recompile the kernel > and file a PR with this information and whether it is the printf after > ipsec6_output_trans or after ipsec6_output_tunnel. In this case, because I'm using transport mode, it's in ipsec6_output_trans, but the problem would occur in either case. Looking in in ipsec_output.c, ipsec_process_done(), the problem is this dodgy bit of code: /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. * If this is a problem we'll need to introduce a queue * to set the packet on so we can unwind the stack before * doing further processing. */ if (isr->next) { ipsec4stat.ips_out_bundlesa++; return ipsec4_process_packet(m, isr->next, 0, 0); } which works great for ipv4 but not so well in the other case. Actually, there's another problem in the new ipsec, which is that the refcnt for security associations gets incremented each time a packet traverses the code. So when you tear an association down you have to wait hours for it to be deleted, since it only decrements once each second. This only happens in ipv6 too, ipv4 works fine. I'll file a pr. Thanks! Cyrus