kern/121373: New IPSEC & IPV6 & AH+ESP Broken
Cyrus Rahman
crahman at gmail.com
Wed Mar 5 00:20:03 UTC 2008
>Number: 121373
>Category: kern
>Synopsis: New IPSEC & IPV6 & AH+ESP Broken
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 05 00:20:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Cyrus Rahman
>Release: 7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Tue Mar 4 16:27:33 MST 2008 cr at snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386
>Description:
One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6. Trying to will
produce the kernel printf:
kernel: ip6_output (ipsec): error code 22
and no output from the interface.
The problem looks to be here, in ipsec_output.c, ipsec_process_done():
/*
* If there's another (bundled) SA to apply, do so.
* Note that this puts a burden on the kernel stack size.
* If this is a problem we'll need to introduce a queue
* to set the packet on so we can unwind the stack before
* doing further processing.
*/
if (isr->next) {
ipsec4stat.ips_out_bundlesa++;
return ipsec4_process_packet(m, isr->next, 0, 0);
}
So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet. By the way, things work fine with ipv4.
>How-To-Repeat:
Set up an association between two ipv6 hosts that calls for esp+ah.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list