[Bug 200472] aesni module corrupt IP packets during encryption with IPSec
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed May 27 13:08:24 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200472
--- Comment #3 from olivier at cochard.me ---
Ok, new test under FreeBSD 11.0-CURRENT #3 r283536 (Still generating 100 000
packets in 1000pps.)
Here is first line of pwmc output during the load (done on the "encrypter IPSec
gateway side"):
PMC: [INSTR_RETIRED_ANY] Samples: 544 (100.0%) , 0 unresolved
%SAMP IMAGE FUNCTION CALLERS
7.4 aesni.ko aesni_encrypt_cbc aesni_process
4.2 kernel cpu_search_highest sched_idletd:2.6 cpu_search_highest:1.7
2.8 kernel spinlock_exit intr_event_schedule_thread:1.1
handleevents:0.6
2.4 kernel uma_zalloc_arg crypto_getreq:1.3 malloc:0.9
2.4 libc.so.7 bsearch 0x63b4
2.4 kernel cpu_search_lowest cpu_search_lowest:1.3 sched_pickcpu:1.1
2.0 kernel critical_exit spinlock_exit:1.1 sched_idletd:0.6
2.0 kernel __rw_rlock in_lltable_lookup:0.6 ip_input:0.6
1.8 kernel _rw_runlock_cookie rtalloc1_fib
1.8 kernel igb_rxeof igb_msix_que
1.8 kernel ip_output ipsec_process_done
1.7 kernel spinlock_enter thread_lock_flags_
1.5 kernel sched_switch mi_switch
1.3 kernel key_allocsp ipsec_getpolicybyaddr
1.3 kernel sched_pickcpu sched_add
1.1 kernel rn_match rtalloc1_fib
1.1 kernel bzero
1.1 kernel cpu_switch mi_switch
1.1 kernel bounce_bus_dmamap_lo bus_dmamap_load_mbuf_sg
1.1 pmcstat 0x63d3 bsearch
Now on the "decrypter IPSec gateway side" the netstat output:
[root at R3]~# netstat -sp ipsec
ipsec:
0 inbound packets violated process security policy
0 inbound packets failed due to insufficient memory
0 invalid inbound packets
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 outbound packets failed due to insufficient memory
0 outbound packets with no route available
0 invalid outbound packets
0 outbound packets with bundled SAs
0 mbufs coalesced during clone
0 clusters coalesced during clone
0 clusters copied during clone
0 mbufs inserted during makespace
[root at R3]~# netstat -sp esp
esp:
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 packets dropped; bad ilen
0 replay counter wraps
0 packets dropped; bad encryption detected
0 packets dropped; bad authentication detected
0 possible replay packets detected
100000 packets in
0 packets out
0 packets dropped; invalid TDB
54400000 bytes in
0 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
ESP output histogram:
rijndael-cbc: 100000
=> No "Ipsec/esp" problem: IPsec packets are correctly generated.
But once decrypted, lot's of errors (too small, bad header, incorrect version
number, etc…):
[root at R3]~# netstat -sp ip
ip:
200145 total packets received
0 bad header checksums
0 with size smaller than minimum
40 with data size < data length
0 with ip length > max ip packet size
19 with header length < data size
0 with data length < header length
1 with bad options
818 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
100145 packets for this host
0 packets for unknown/unsupported protocol
99122 packets forwarded (0 packets fast forwarded)
0 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
120 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
=> On 100 000 IPSec packets received, ALL of them are correctly decrypted, but
once decrypted their contends are corrupted.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list