Date: Thu, 5 Jan 2012 17:44:33 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Sami Halabi <sodynet1@gmail.com> Cc: freebsd-net@FreeBSD.org Subject: Re: ng_mppc_decompress: too many (4094) packets dropped, disabling node Message-ID: <20120105134433.GO34721@glebius.int.ru> In-Reply-To: <CAEW%2BogYQXRbWCwx41rwUMSoh5hDM6eAZcG=-BjzqZj6rBzWGRg@mail.gmail.com> References: <CAEW%2Bogbn6jizawgLCHCcTLMSmdjCKFvPkJa33jrJ5AAnjww=fg@mail.gmail.com> <20111227044754.GK8035@FreeBSD.org> <CAEW%2BogY_iHUb=n=G45d5U_r5XfD39YDwgNkowu1QN%2BeWL5K5Fw@mail.gmail.com> <20111227083503.GP8035@glebius.int.ru> <CAEW%2BogYHtvPFqMAM17_fHWzvKAiSqEOyQ3dtQRwmD6DJSHsrEA@mail.gmail.com> <20120105095855.GI34721@glebius.int.ru> <CAEW%2BogYLToV4dtW=Y-yQvY1C_YdbqQfEnr87F8dt%2BF57FxZgkw@mail.gmail.com> <20120105110116.GK34721@glebius.int.ru> <CAEW%2BogYQXRbWCwx41rwUMSoh5hDM6eAZcG=-BjzqZj6rBzWGRg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--FsscpQKzF/jJk6ya
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Sami,
I am running not with the exact patch that I've sent to you, but
with additional debugging printf, see attach. I'd like to make sure that
after such a large rekeying event the PPP link is still valid.
Since I can't cook this reordering case by hand, can you please
eventually patch your ng_mppc with attached patch and reload it. The
functionality is the same as the previous patch, but a printf is added.
And we need to ping peers IP address as soon as we see the printf
in logs. If the event happens very rarely, then some script needs
to be written, that monitors system log and once printf fires, it
should find interface name via ng_mppc node ID, and then take peers
IP address and send a ping probe.
If ping is replied, then MPPE survives this large rekeying and code
can be considered functional.
--
Totus tuus, Glebius.
--FsscpQKzF/jJk6ya
Content-Type: text/x-diff; charset=koi8-r
Content-Disposition: attachment; filename="ng_mppc.c.diff"
Index: ng_mppc.c
===================================================================
--- ng_mppc.c (revision 229571)
+++ ng_mppc.c (working copy)
@@ -98,15 +98,6 @@
/* Key length */
#define KEYLEN(b) (((b) & MPPE_128) ? 16 : 8)
-/*
- * When packets are lost with MPPE, we may have to re-key arbitrarily
- * many times to 'catch up' to the new jumped-ahead sequence number.
- * Since this can be expensive, we pose a limit on how many re-keyings
- * we will do at one time to avoid a possible D.O.S. vulnerability.
- * This should instead be a configurable parameter.
- */
-#define MPPE_MAX_REKEY 1000
-
/* MPPC packet header bits */
#define MPPC_FLAG_FLUSHED 0x8000 /* xmitter reset state */
#define MPPC_FLAG_RESTART 0x4000 /* compress history restart */
@@ -641,20 +632,22 @@
#endif
#ifdef NETGRAPH_MPPC_ENCRYPTION
if ((d->cfg.bits & MPPE_BITS) != 0) {
- u_int rekey;
+ u_int rekey;
+
+ /* How many times are we going to have to re-key? */
+ rekey = ((d->cfg.bits & MPPE_STATELESS) != 0) ?
+ numLost : (numLost / (MPPE_UPDATE_MASK + 1));
+ if (rekey > 1000)
+ log(LOG_ERR, "%s: %d packets dropped, "
+ "node [%x]\n", __func__, numLost,
+ node->nd_ID);
- /* How many times are we going to have to re-key? */
- rekey = ((d->cfg.bits & MPPE_STATELESS) != 0) ?
- numLost : (numLost / (MPPE_UPDATE_MASK + 1));
- if (rekey > MPPE_MAX_REKEY) {
- log(LOG_ERR, "%s: too many (%d) packets"
- " dropped, disabling node %p!",
- __func__, numLost, node);
- priv->recv.cfg.enable = 0;
- goto failed;
- }
-
- /* Re-key as necessary to catch up to peer */
+ /*
+ * When packets are lost or re-ordered with MPPE,
+ * we may have to re-key up to 0xfff times to 'catch
+ * up' to the new jumped-ahead sequence number. Yep,
+ * this is heavy, but what else can we do?
+ */
while (d->cc != cc) {
if ((d->cfg.bits & MPPE_STATELESS) != 0
|| (d->cc & MPPE_UPDATE_MASK)
--FsscpQKzF/jJk6ya--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120105134433.GO34721>