Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 May 2015 13:08:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 200472] aesni module corrupt IP packets during encryption with IPSec
Message-ID:  <bug-200472-8-0heXzMG0ax@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-200472-8@https.bugs.freebsd.org/bugzilla/>
References:  <bug-200472-8@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D200472

--- Comment #3 from olivier@cochard.me ---
Ok, new test under FreeBSD 11.0-CURRENT #3 r283536 (Still generating 100 000
packets in 1000pps.)

Here is first line of pwmc output during the load (done on the "encrypter I=
PSec
gateway side"):

PMC: [INSTR_RETIRED_ANY] Samples: 544 (100.0%) , 0 unresolved

%SAMP IMAGE      FUNCTION             CALLERS
  7.4 aesni.ko   aesni_encrypt_cbc    aesni_process
  4.2 kernel     cpu_search_highest   sched_idletd:2.6 cpu_search_highest:1=
.7
  2.8 kernel     spinlock_exit        intr_event_schedule_thread:1.1
handleevents:0.6
  2.4 kernel     uma_zalloc_arg       crypto_getreq:1.3 malloc:0.9
  2.4 libc.so.7  bsearch              0x63b4
  2.4 kernel     cpu_search_lowest    cpu_search_lowest:1.3 sched_pickcpu:1=
.1
  2.0 kernel     critical_exit        spinlock_exit:1.1 sched_idletd:0.6
  2.0 kernel     __rw_rlock           in_lltable_lookup:0.6 ip_input:0.6
  1.8 kernel     _rw_runlock_cookie   rtalloc1_fib
  1.8 kernel     igb_rxeof            igb_msix_que
  1.8 kernel     ip_output            ipsec_process_done
  1.7 kernel     spinlock_enter       thread_lock_flags_
  1.5 kernel     sched_switch         mi_switch
  1.3 kernel     key_allocsp          ipsec_getpolicybyaddr
  1.3 kernel     sched_pickcpu        sched_add
  1.1 kernel     rn_match             rtalloc1_fib
  1.1 kernel     bzero
  1.1 kernel     cpu_switch           mi_switch
  1.1 kernel     bounce_bus_dmamap_lo bus_dmamap_load_mbuf_sg
  1.1 pmcstat    0x63d3               bsearch


Now on the "decrypter IPSec gateway side" the netstat output:

[root@R3]~# netstat -sp ipsec
ipsec:
        0 inbound packets violated process security policy
        0 inbound packets failed due to insufficient memory
        0 invalid inbound packets
        0 outbound packets violated process security policy
        0 outbound packets with no SA available
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route available
        0 invalid outbound packets
        0 outbound packets with bundled SAs
        0 mbufs coalesced during clone
        0 clusters coalesced during clone
        0 clusters copied during clone
        0 mbufs inserted during makespace
[root@R3]~# netstat -sp esp
esp:
        0 packets shorter than header shows
        0 packets dropped; protocol family not supported
        0 packets dropped; no TDB
        0 packets dropped; bad KCR
        0 packets dropped; queue full
        0 packets dropped; no transform
        0 packets dropped; bad ilen
        0 replay counter wraps
        0 packets dropped; bad encryption detected
        0 packets dropped; bad authentication detected
        0 possible replay packets detected
        100000 packets in
        0 packets out
        0 packets dropped; invalid TDB
        54400000 bytes in
        0 bytes out
        0 packets dropped; larger than IP_MAXPACKET
        0 packets blocked due to policy
        0 crypto processing failures
        0 tunnel sanity check failures
        ESP output histogram:
                rijndael-cbc: 100000

=3D> No "Ipsec/esp" problem: IPsec packets are correctly generated.
But once decrypted, lot's of errors (too small, bad header, incorrect versi=
on
number, etc=E2=80=A6):

[root@R3]~# netstat -sp ip
ip:
        200145 total packets received
        0 bad header checksums
        0 with size smaller than minimum
        40 with data size < data length
        0 with ip length > max ip packet size
        19 with header length < data size
        0 with data length < header length
        1 with bad options
        818 with incorrect version number
        0 fragments received
        0 fragments dropped (dup or out of space)
        0 fragments dropped after timeout
        0 packets reassembled ok
        100145 packets for this host
        0 packets for unknown/unsupported protocol
        99122 packets forwarded (0 packets fast forwarded)
        0 packets not forwardable
        0 packets received for unknown multicast group
        0 redirects sent
        120 packets sent from this host
        0 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        0 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 tunneling packets that can't find gif
        0 datagrams with bad address in header

=3D> On 100 000 IPSec packets received, ALL of them are correctly decrypted=
, but
once decrypted their contends are corrupted.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200472-8-0heXzMG0ax>