Bundled SAs and ESP/IPCOMP support ...

Matthew Grooms mgrooms at shrew.net
Tue Sep 26 15:23:15 PDT 2006


Matthew Grooms wrote:
> All,
> 
>     With fast ipsec compiled into the kernel, I can see the outbound esp 
> transport SAD entry increase the current byte count but the ipcomp entry 
> shows nothing to indicate its use. It seems strange that the kernel will 
> send acquire messages via PF_KEY as a pre-requisite to performing the 
> required security processing but doesn't use them once they are added by 
> the key daemon.
> 

So, I tracked down the problem I was seeing to here ...

/usr/src/sys/netinet6/ipcomp_output.c:145

/* grab parameters */
algo = ipcomp_algorithm_lookup(sav->alg_enc);
if ((ntohl(sav->spi) & ~0xffff) != 0 || !algo) {
         stat->out_inval++;
         m_freem(m);
         return EINVAL;
}

... The SPI which gets interpreted as the CPI had a value larger than 
0xffff. If IPCOMP will always fail with an CPI that isn't contained 
within 16 bits, should this be treated as an error condition when the 
key daemon attempts to add the SAD entry? Then there would be error 
feedback as opposed to silently dropping the packet in the outbound path.

Thanks,

-Matthew


More information about the freebsd-net mailing list