[Bug 200472] aesni module corrupt IP packets during encryption with IPSec

Tue May 26 19:40:00 UTC 2015

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200472

            Bug ID: 200472
           Summary: aesni module corrupt IP packets during encryption with
                    IPSec
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: olivier at cochard.me

There are lot's of corrupted IP packet with aesni module loaded.

I've set-up a very simple lab across 2 FreeBSD servers in IPSec gateway mode.

pkt-generator ====== fbsd srv1 ====== fbsd svr 2  ==== pkt-receiver

With aesni module loaded and this very simple static ipsec configuration
(setkey.conf):

flush;
spdflush;
spdadd 1.0.0.0/8 3.0.0.0/8 any -P in ipsec esp/tunnel/2.2.2.2-2.2.2.3/require;
spdadd 3.0.0.0/8 1.0.0.0/8 any -P out ipsec esp/tunnel/2.2.2.3-2.2.2.2/require;
add 2.2.2.2 2.2.2.3 esp 0x1000 -E rijndael-cbc "1234567890123456";
add 2.2.2.3 2.2.2.2 esp 0x1001 -E rijndael-cbc "1234567890123456";

Then generating exactly 100 000 packets in a low-rate of 1000 paquet-per-second
using netmap's pktgen crossing these 2 FreeBSD IPSec gateway.

=> On the packet-receiver, there is only about 80-95% of these 100 000 paquets
received.

Troubleshooting session show that the "receiving" IPSec gateway correctly
receive all 100 000 encrypted packets and correctly decrypt them… but once
decrypted these packets are no more valid IP packets: IP section of a "netstat
-
s" on fbsd srv2 show lot's of invalid IP packets exactly matching the number of
missing packet. And these bad packet are never forwarded to the pkt-receiver.

Here is an example of stat on the fbsd srv 2:

[root at srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023
dev.igb.2.mac_stats.rx_frames_512_1023: 100000
[root at srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023
dev.igb.3.mac_stats.tx_frames_512_1023: 99128

=> Here, 100K encrypted packets are received, but only 99128 are forwarded. 872
packet missing.

netstat -s output on srv2:
ip:
        200131 total packets received
        38 with data size < data length
        15 with header length < data size
        1 with bad options
        818 with incorrect version number
        99128 packets forwarded

=> 38+15+1+818=872 bad IP packets, we found all our missing packet.

For fixing this problem we just had to NOT load aesni module on srv1.

Bug reproduced with these release:
- FreeBSD 10.1-RELEASE-p10 #0 r282880M (about 1-5 % of corrupted packet)
- FreeBSD 11.0-CURRENT #2 r283536M (about 10-20 % of corrupted packet)

Bug reproduced with these CPU:
- Intel Atom CPU C2558
- Intel Xeon CPU L5630

More information on the IPsec lab here:
http://bsdrp.net/documentation/examples/ipsec_performance_lab_of_an_ibm_system_x3550_m3_with_intel_82580

-- 
You are receiving this mail because:
You are the assignee for the bug.