Date: Thu, 20 Nov 2014 14:38:17 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: "Andrey V. Elsukov" <ae@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-security@freebsd.org Subject: Re: IPsec is very broken... Message-ID: <20141120223816.GJ24601@funkthat.com> In-Reply-To: <546E6931.20406@FreeBSD.org> References: <20141120213526.GH24601@funkthat.com> <546E6931.20406@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey V. Elsukov wrote this message on Fri, Nov 21, 2014 at 01:20 +0300: > On 21.11.2014 00:35, John-Mark Gurney wrote: > > As I'm about to commit my AES-GCM work, I've been trying to do > > some testing to make sure I didn't break IPsec. > > > > The first major issue I ran across was transport mode... ae@ has been > > nice enough to get ICMP working in transport mode for IPv4 and IPv6, > > but it looks like TCP is still broken. I haven't tested UDP yet... > > So, IPsec even w/o crypto is fundamentally broken here... It's clear > > that not many people run transport mode... > > > > If someone could create a good test suite that ensures makes sure basic > > IPsec traffic passes, that would be a huge win for us. The tests > > should test a complete cross product of: { tunnel, transport } x > > { TCP, UDP, ICMP, any others? } x { IPv4, IPv6 }. Please add to this > > list. > > I usually do tests for both transport and tunnel modes with and without > gif(4)/gre(4). So, just tried between two CURRENT hosts and it works. > I use racoon and isakmpd for IKE. ICMP, TCP (ssh) and UDP (ike) works > for me. How do you test? Do you use software crypto or aesni? Hmm... weird... Just tested again and TCP seems to be working now... Not sure what changed... It could be that I didn't retest after fixing AES-NI's mbuf issue, but I thought I had... Though I thought I had tested a clean HEAD too... I've only been testing w/ static associations to make testing easier.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141120223816.GJ24601>