[Bug 200472] aesni module corrupt IP packets during encryption with IPSec

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed May 27 13:08:24 UTC 2015


--- Comment #3 from olivier at cochard.me ---
Ok, new test under FreeBSD 11.0-CURRENT #3 r283536 (Still generating 100 000
packets in 1000pps.)

Here is first line of pwmc output during the load (done on the "encrypter IPSec
gateway side"):

PMC: [INSTR_RETIRED_ANY] Samples: 544 (100.0%) , 0 unresolved

  7.4 aesni.ko   aesni_encrypt_cbc    aesni_process
  4.2 kernel     cpu_search_highest   sched_idletd:2.6 cpu_search_highest:1.7
  2.8 kernel     spinlock_exit        intr_event_schedule_thread:1.1
  2.4 kernel     uma_zalloc_arg       crypto_getreq:1.3 malloc:0.9
  2.4 libc.so.7  bsearch              0x63b4
  2.4 kernel     cpu_search_lowest    cpu_search_lowest:1.3 sched_pickcpu:1.1
  2.0 kernel     critical_exit        spinlock_exit:1.1 sched_idletd:0.6
  2.0 kernel     __rw_rlock           in_lltable_lookup:0.6 ip_input:0.6
  1.8 kernel     _rw_runlock_cookie   rtalloc1_fib
  1.8 kernel     igb_rxeof            igb_msix_que
  1.8 kernel     ip_output            ipsec_process_done
  1.7 kernel     spinlock_enter       thread_lock_flags_
  1.5 kernel     sched_switch         mi_switch
  1.3 kernel     key_allocsp          ipsec_getpolicybyaddr
  1.3 kernel     sched_pickcpu        sched_add
  1.1 kernel     rn_match             rtalloc1_fib
  1.1 kernel     bzero
  1.1 kernel     cpu_switch           mi_switch
  1.1 kernel     bounce_bus_dmamap_lo bus_dmamap_load_mbuf_sg
  1.1 pmcstat    0x63d3               bsearch

Now on the "decrypter IPSec gateway side" the netstat output:

[root at R3]~# netstat -sp ipsec
        0 inbound packets violated process security policy
        0 inbound packets failed due to insufficient memory
        0 invalid inbound packets
        0 outbound packets violated process security policy
        0 outbound packets with no SA available
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route available
        0 invalid outbound packets
        0 outbound packets with bundled SAs
        0 mbufs coalesced during clone
        0 clusters coalesced during clone
        0 clusters copied during clone
        0 mbufs inserted during makespace
[root at R3]~# netstat -sp esp
        0 packets shorter than header shows
        0 packets dropped; protocol family not supported
        0 packets dropped; no TDB
        0 packets dropped; bad KCR
        0 packets dropped; queue full
        0 packets dropped; no transform
        0 packets dropped; bad ilen
        0 replay counter wraps
        0 packets dropped; bad encryption detected
        0 packets dropped; bad authentication detected
        0 possible replay packets detected
        100000 packets in
        0 packets out
        0 packets dropped; invalid TDB
        54400000 bytes in
        0 bytes out
        0 packets dropped; larger than IP_MAXPACKET
        0 packets blocked due to policy
        0 crypto processing failures
        0 tunnel sanity check failures
        ESP output histogram:
                rijndael-cbc: 100000

=> No "Ipsec/esp" problem: IPsec packets are correctly generated.
But once decrypted, lot's of errors (too small, bad header, incorrect version
number, etc…):

[root at R3]~# netstat -sp ip
        200145 total packets received
        0 bad header checksums
        0 with size smaller than minimum
        40 with data size < data length
        0 with ip length > max ip packet size
        19 with header length < data size
        0 with data length < header length
        1 with bad options
        818 with incorrect version number
        0 fragments received
        0 fragments dropped (dup or out of space)
        0 fragments dropped after timeout
        0 packets reassembled ok
        100145 packets for this host
        0 packets for unknown/unsupported protocol
        99122 packets forwarded (0 packets fast forwarded)
        0 packets not forwardable
        0 packets received for unknown multicast group
        0 redirects sent
        120 packets sent from this host
        0 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        0 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 tunneling packets that can't find gif
        0 datagrams with bad address in header

=> On 100 000 IPSec packets received, ALL of them are correctly decrypted, but
once decrypted their contends are corrupted.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list