Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 May 2015 12:27:50 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 200472] aesni module corrupt IP packets during encryption with IPSec
Message-ID:  <bug-200472-8-C8q54J7bUd@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-200472-8@https.bugs.freebsd.org/bugzilla/>
References:  <bug-200472-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200472

--- Comment #5 from olivier@cochard.me ---
If I unload aesni module on "encrypter" side, the problem disappear: Then how
can the packet being corrupted after decryption ?

New test without aesni module loaded on the "encrypter side" (srv1), but still
loaded on "decrypter side" (srv2):

Encrypter:

[root@srv1]~# kldstat
Id Refs Address            Size     Name
 1    8 0xffffffff80200000 17dc0f0  kernel
 2    1 0xffffffff81c11000 2dd6     ichsmb.ko
 3    1 0xffffffff81c14000 e7e      smbus.ko
 4    1 0xffffffff81c15000 2a16     coretemp.ko

Decrypter:

[root@srv2]~# kldstat
Id Refs Address            Size     Name
 1   11 0xffffffff80200000 17dc0f0  kernel
 2    1 0xffffffff81c11000 7fe8     aesni.ko
 3    1 0xffffffff81c19000 2dd6     ichsmb.ko
 4    1 0xffffffff81c1c000 e7e      smbus.ko
 5    1 0xffffffff81c1d000 2a16     coretemp.ko

Then, again, generating exactly 100 000 packets in a low-rate of 1000
paquet-per-second using netmap's pktgen crossing these 2 FreeBSD IPSec gateway.

Stat on "decrypter side" (srv2):
[root@srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023
dev.igb.2.mac_stats.rx_frames_512_1023: 100000
[root@srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023
dev.igb.3.mac_stats.tx_frames_512_1023: 100000

=> All packets are correctly decrypted AND forwarded

No more "bad ip packet" errors on decrypter side:
[root@srv2]~# netstat -ssp ip
ip:
        200064 total packets received
        100064 packets for this host
        100000 packets forwarded
        69 packets sent from this host

Then, should I still do a new test in Transport mode ?

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200472-8-C8q54J7bUd>