Bundled SAs and ESP/IPCOMP support ...
Matthew Grooms
mgrooms at shrew.net
Tue Sep 26 15:23:15 PDT 2006
Matthew Grooms wrote:
> All,
>
> With fast ipsec compiled into the kernel, I can see the outbound esp
> transport SAD entry increase the current byte count but the ipcomp entry
> shows nothing to indicate its use. It seems strange that the kernel will
> send acquire messages via PF_KEY as a pre-requisite to performing the
> required security processing but doesn't use them once they are added by
> the key daemon.
>
So, I tracked down the problem I was seeing to here ...
/usr/src/sys/netinet6/ipcomp_output.c:145
/* grab parameters */
algo = ipcomp_algorithm_lookup(sav->alg_enc);
if ((ntohl(sav->spi) & ~0xffff) != 0 || !algo) {
stat->out_inval++;
m_freem(m);
return EINVAL;
}
... The SPI which gets interpreted as the CPI had a value larger than
0xffff. If IPCOMP will always fail with an CPI that isn't contained
within 16 bits, should this be treated as an error condition when the
key daemon attempts to add the SAD entry? Then there would be error
feedback as opposed to silently dropping the packet in the outbound path.
Thanks,
-Matthew
More information about the freebsd-net
mailing list