kern/121373: New IPSEC & IPV6 & AH+ESP Broken

[Cyrus Rahman]

>Number:         121373
>Category:       kern
>Synopsis:       New IPSEC & IPV6 & AH+ESP Broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 05 00:20:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Cyrus Rahman
>Release:        7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Tue Mar  4 16:27:33 MST 2008     cr at snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA  i386

>Description:
One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6.  Trying to will
produce the kernel printf:

 kernel: ip6_output (ipsec): error code 22

and no output from the interface.

The problem looks to be here, in ipsec_output.c, ipsec_process_done():

       /*
         * If there's another (bundled) SA to apply, do so.
         * Note that this puts a burden on the kernel stack size.
         * If this is a problem we'll need to introduce a queue
         * to set the packet on so we can unwind the stack before
         * doing further processing.
         */
        if (isr->next) {
                ipsec4stat.ips_out_bundlesa++;
                return ipsec4_process_packet(m, isr->next, 0, 0);
        }

So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet.  By the way, things work fine with ipv4.

>How-To-Repeat:
Set up an association between two ipv6 hosts that calls for esp+ah.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: