[Bug 200472] aesni module corrupt IP packets during encryption with IPSec
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 26 19:40:00 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200472
Bug ID: 200472
Summary: aesni module corrupt IP packets during encryption with
IPSec
Product: Base System
Version: 10.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: olivier at cochard.me
There are lot's of corrupted IP packet with aesni module loaded.
I've set-up a very simple lab across 2 FreeBSD servers in IPSec gateway mode.
pkt-generator ====== fbsd srv1 ====== fbsd svr 2 ==== pkt-receiver
With aesni module loaded and this very simple static ipsec configuration
(setkey.conf):
flush;
spdflush;
spdadd 1.0.0.0/8 3.0.0.0/8 any -P in ipsec esp/tunnel/2.2.2.2-2.2.2.3/require;
spdadd 3.0.0.0/8 1.0.0.0/8 any -P out ipsec esp/tunnel/2.2.2.3-2.2.2.2/require;
add 2.2.2.2 2.2.2.3 esp 0x1000 -E rijndael-cbc "1234567890123456";
add 2.2.2.3 2.2.2.2 esp 0x1001 -E rijndael-cbc "1234567890123456";
Then generating exactly 100 000 packets in a low-rate of 1000 paquet-per-second
using netmap's pktgen crossing these 2 FreeBSD IPSec gateway.
=> On the packet-receiver, there is only about 80-95% of these 100 000 paquets
received.
Troubleshooting session show that the "receiving" IPSec gateway correctly
receive all 100 000 encrypted packets and correctly decrypt them… but once
decrypted these packets are no more valid IP packets: IP section of a "netstat
-
s" on fbsd srv2 show lot's of invalid IP packets exactly matching the number of
missing packet. And these bad packet are never forwarded to the pkt-receiver.
Here is an example of stat on the fbsd srv 2:
[root at srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023
dev.igb.2.mac_stats.rx_frames_512_1023: 100000
[root at srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023
dev.igb.3.mac_stats.tx_frames_512_1023: 99128
=> Here, 100K encrypted packets are received, but only 99128 are forwarded. 872
packet missing.
netstat -s output on srv2:
ip:
200131 total packets received
38 with data size < data length
15 with header length < data size
1 with bad options
818 with incorrect version number
99128 packets forwarded
=> 38+15+1+818=872 bad IP packets, we found all our missing packet.
For fixing this problem we just had to NOT load aesni module on srv1.
Bug reproduced with these release:
- FreeBSD 10.1-RELEASE-p10 #0 r282880M (about 1-5 % of corrupted packet)
- FreeBSD 11.0-CURRENT #2 r283536M (about 10-20 % of corrupted packet)
Bug reproduced with these CPU:
- Intel Atom CPU C2558
- Intel Xeon CPU L5630
More information on the IPsec lab here:
http://bsdrp.net/documentation/examples/ipsec_performance_lab_of_an_ibm_system_x3550_m3_with_intel_82580
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list