From owner-freebsd-bugs@FreeBSD.ORG Wed May 27 13:08:24 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71F25AE7 for ; Wed, 27 May 2015 13:08:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53957BF8 for ; Wed, 27 May 2015 13:08:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t4RD8O22061377 for ; Wed, 27 May 2015 13:08:24 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200472] aesni module corrupt IP packets during encryption with IPSec Date: Wed, 27 May 2015 13:08:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: olivier@cochard.me X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 13:08:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D200472 --- Comment #3 from olivier@cochard.me --- Ok, new test under FreeBSD 11.0-CURRENT #3 r283536 (Still generating 100 000 packets in 1000pps.) Here is first line of pwmc output during the load (done on the "encrypter I= PSec gateway side"): PMC: [INSTR_RETIRED_ANY] Samples: 544 (100.0%) , 0 unresolved %SAMP IMAGE FUNCTION CALLERS 7.4 aesni.ko aesni_encrypt_cbc aesni_process 4.2 kernel cpu_search_highest sched_idletd:2.6 cpu_search_highest:1= .7 2.8 kernel spinlock_exit intr_event_schedule_thread:1.1 handleevents:0.6 2.4 kernel uma_zalloc_arg crypto_getreq:1.3 malloc:0.9 2.4 libc.so.7 bsearch 0x63b4 2.4 kernel cpu_search_lowest cpu_search_lowest:1.3 sched_pickcpu:1= .1 2.0 kernel critical_exit spinlock_exit:1.1 sched_idletd:0.6 2.0 kernel __rw_rlock in_lltable_lookup:0.6 ip_input:0.6 1.8 kernel _rw_runlock_cookie rtalloc1_fib 1.8 kernel igb_rxeof igb_msix_que 1.8 kernel ip_output ipsec_process_done 1.7 kernel spinlock_enter thread_lock_flags_ 1.5 kernel sched_switch mi_switch 1.3 kernel key_allocsp ipsec_getpolicybyaddr 1.3 kernel sched_pickcpu sched_add 1.1 kernel rn_match rtalloc1_fib 1.1 kernel bzero 1.1 kernel cpu_switch mi_switch 1.1 kernel bounce_bus_dmamap_lo bus_dmamap_load_mbuf_sg 1.1 pmcstat 0x63d3 bsearch Now on the "decrypter IPSec gateway side" the netstat output: [root@R3]~# netstat -sp ipsec ipsec: 0 inbound packets violated process security policy 0 inbound packets failed due to insufficient memory 0 invalid inbound packets 0 outbound packets violated process security policy 0 outbound packets with no SA available 0 outbound packets failed due to insufficient memory 0 outbound packets with no route available 0 invalid outbound packets 0 outbound packets with bundled SAs 0 mbufs coalesced during clone 0 clusters coalesced during clone 0 clusters copied during clone 0 mbufs inserted during makespace [root@R3]~# netstat -sp esp esp: 0 packets shorter than header shows 0 packets dropped; protocol family not supported 0 packets dropped; no TDB 0 packets dropped; bad KCR 0 packets dropped; queue full 0 packets dropped; no transform 0 packets dropped; bad ilen 0 replay counter wraps 0 packets dropped; bad encryption detected 0 packets dropped; bad authentication detected 0 possible replay packets detected 100000 packets in 0 packets out 0 packets dropped; invalid TDB 54400000 bytes in 0 bytes out 0 packets dropped; larger than IP_MAXPACKET 0 packets blocked due to policy 0 crypto processing failures 0 tunnel sanity check failures ESP output histogram: rijndael-cbc: 100000 =3D> No "Ipsec/esp" problem: IPsec packets are correctly generated. But once decrypted, lot's of errors (too small, bad header, incorrect versi= on number, etc=E2=80=A6): [root@R3]~# netstat -sp ip ip: 200145 total packets received 0 bad header checksums 0 with size smaller than minimum 40 with data size < data length 0 with ip length > max ip packet size 19 with header length < data size 0 with data length < header length 1 with bad options 818 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 100145 packets for this host 0 packets for unknown/unsupported protocol 99122 packets forwarded (0 packets fast forwarded) 0 packets not forwardable 0 packets received for unknown multicast group 0 redirects sent 120 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header =3D> On 100 000 IPSec packets received, ALL of them are correctly decrypted= , but once decrypted their contends are corrupted. --=20 You are receiving this mail because: You are the assignee for the bug.=