Date: Tue, 26 May 2015 19:40:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200472] aesni module corrupt IP packets during encryption with IPSec Message-ID: <bug-200472-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D200472 Bug ID: 200472 Summary: aesni module corrupt IP packets during encryption with IPSec Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: olivier@cochard.me There are lot's of corrupted IP packet with aesni module loaded. I've set-up a very simple lab across 2 FreeBSD servers in IPSec gateway mod= e. pkt-generator =3D=3D=3D=3D=3D=3D fbsd srv1 =3D=3D=3D=3D=3D=3D fbsd svr 2 = =3D=3D=3D=3D pkt-receiver With aesni module loaded and this very simple static ipsec configuration (setkey.conf): flush; spdflush; spdadd 1.0.0.0/8 3.0.0.0/8 any -P in ipsec esp/tunnel/2.2.2.2-2.2.2.3/requi= re; spdadd 3.0.0.0/8 1.0.0.0/8 any -P out ipsec esp/tunnel/2.2.2.3-2.2.2.2/requ= ire; add 2.2.2.2 2.2.2.3 esp 0x1000 -E rijndael-cbc "1234567890123456"; add 2.2.2.3 2.2.2.2 esp 0x1001 -E rijndael-cbc "1234567890123456"; Then generating exactly 100 000 packets in a low-rate of 1000 paquet-per-se= cond using netmap's pktgen crossing these 2 FreeBSD IPSec gateway. =3D> On the packet-receiver, there is only about 80-95% of these 100 000 pa= quets received. Troubleshooting session show that the "receiving" IPSec gateway correctly receive all 100 000 encrypted packets and correctly decrypt them=E2=80=A6 b= ut once decrypted these packets are no more valid IP packets: IP section of a "nets= tat - s" on fbsd srv2 show lot's of invalid IP packets exactly matching the numbe= r of missing packet. And these bad packet are never forwarded to the pkt-receive= r. Here is an example of stat on the fbsd srv 2: [root@srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023 dev.igb.2.mac_stats.rx_frames_512_1023: 100000 [root@srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023 dev.igb.3.mac_stats.tx_frames_512_1023: 99128 =3D> Here, 100K encrypted packets are received, but only 99128 are forwarde= d. 872 packet missing. netstat -s output on srv2: ip: 200131 total packets received 38 with data size < data length 15 with header length < data size 1 with bad options 818 with incorrect version number 99128 packets forwarded =3D> 38+15+1+818=3D872 bad IP packets, we found all our missing packet. For fixing this problem we just had to NOT load aesni module on srv1. Bug reproduced with these release: - FreeBSD 10.1-RELEASE-p10 #0 r282880M (about 1-5 % of corrupted packet) - FreeBSD 11.0-CURRENT #2 r283536M (about 10-20 % of corrupted packet) Bug reproduced with these CPU: - Intel Atom CPU C2558 - Intel Xeon CPU L5630 More information on the IPsec lab here: http://bsdrp.net/documentation/examples/ipsec_performance_lab_of_an_ibm_sys= tem_x3550_m3_with_intel_82580 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200472-8>