From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 22:38:18 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E7132AA7; Thu, 20 Nov 2014 22:38:18 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E37F945; Thu, 20 Nov 2014 22:38:18 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id sAKMcHOu099333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Nov 2014 14:38:17 -0800 (PST) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id sAKMcHce099332; Thu, 20 Nov 2014 14:38:17 -0800 (PST) (envelope-from jmg) Date: Thu, 20 Nov 2014 14:38:17 -0800 From: John-Mark Gurney To: "Andrey V. Elsukov" Subject: Re: IPsec is very broken... Message-ID: <20141120223816.GJ24601@funkthat.com> Mail-Followup-To: "Andrey V. Elsukov" , freebsd-net@freebsd.org, freebsd-security@freebsd.org References: <20141120213526.GH24601@funkthat.com> <546E6931.20406@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <546E6931.20406@FreeBSD.org> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Thu, 20 Nov 2014 14:38:17 -0800 (PST) Cc: freebsd-net@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2014 22:38:19 -0000 Andrey V. Elsukov wrote this message on Fri, Nov 21, 2014 at 01:20 +0300: > On 21.11.2014 00:35, John-Mark Gurney wrote: > > As I'm about to commit my AES-GCM work, I've been trying to do > > some testing to make sure I didn't break IPsec. > > > > The first major issue I ran across was transport mode... ae@ has been > > nice enough to get ICMP working in transport mode for IPv4 and IPv6, > > but it looks like TCP is still broken. I haven't tested UDP yet... > > So, IPsec even w/o crypto is fundamentally broken here... It's clear > > that not many people run transport mode... > > > > If someone could create a good test suite that ensures makes sure basic > > IPsec traffic passes, that would be a huge win for us. The tests > > should test a complete cross product of: { tunnel, transport } x > > { TCP, UDP, ICMP, any others? } x { IPv4, IPv6 }. Please add to this > > list. > > I usually do tests for both transport and tunnel modes with and without > gif(4)/gre(4). So, just tried between two CURRENT hosts and it works. > I use racoon and isakmpd for IKE. ICMP, TCP (ssh) and UDP (ike) works > for me. How do you test? Do you use software crypto or aesni? Hmm... weird... Just tested again and TCP seems to be working now... Not sure what changed... It could be that I didn't retest after fixing AES-NI's mbuf issue, but I thought I had... Though I thought I had tested a clean HEAD too... I've only been testing w/ static associations to make testing easier.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."