NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
>Number: 56836
>Category: kern
>Synopsis: IPv6 ESN tunneling IPcomp has corrupt header
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat May 14 18:55:00 +0000 2022
>Originator: Andrew Cagney
>Release: 9.2
>Organization:
>Environment:
9.2
>Description:
Below are two packets received by a linux host where the peers are configured to IPsec packets with IPv6 IPcomp + ESP + IPv6
- the first was sent by netbsd; linux rejects it
12:22:02.360081 IP6 (hlim 64, next-header ESP (50) payload length: 60)
2001:db8:1:2::45 > 2001:db8:1:2::23: ESP(spi=0x14df9f91,seq=0x6),
length 60
0x0000: 1200 0064 6423 1200 0064 6445 86dd 6000 ...dd#...ddE..`.
0x0010: 0000 003c 3240 2001 0db8 0001 0002 0000 ...<2@..........
0x0020: 0000 0000 0045 2001 0db8 0001 0002 0000 .....E..........
0x0030: 0000 0000 0023 14df 9f91 0000 0006 2900 .....#........).
0x0040: 0002 4b60 0002 072b 0705 46de 1d40 1623 ..K`...+..F..@.#
0x0050: 0318 3085 40f9 4c30 7e03 834c 33d3 5306 ..0.@.L0~..L3.S.
0x0060: b201 0001 016c 5c17 5eca c317 ec65 8e94 45e0
- the second was sent by linux, it was accepted:
14:00:41.418470 IP6 (flowlabel 0x6a92b, hlim 64, next-header ESP (50)
payload length: 112) 2001:db8:1:2::45 > 2001:db8:1:2::23:
ESP(spi=0xc9a65a98,seq=0x1d), length 112
0x0000: 1200 0064 6423 1200 0064 6445 86dd 6006 ...dd#...ddE..`.
0x0010: a92b 0070 3240 2001 0db8 0001 0002 0000 .+.p2@..........
0x0020: 0000 0000 0045 2001 0db8 0001 0002 0000 .....E..........
0x0030: 0000 0000 0023 c9a6 5a98 0000 001d 2900 .....#..Z.....).
0x0040: 96c4 4b60 5ba9 cde0 60e5 a0c0 c8bb 8381 ..K`[...`.......
0x0050: 8181 9101 0c98 42a0 7c26 18bf 8161 df86 ......B.|&...a..
0x0060: c0c9 0c8c 1eef ea93 4022 b5ff b9c0 3202 ........@"....2.
0x0070: 8242 c222 a262 e212 9252 d232 b272 f20a .B.".b...R.2.r..
0x0080: 8a4a ca2a aa6a ea1a 9a5a da3a ba7a fa06 .J.*.j...Z.:.z..
0x0090: 8646 c626 a666 e600 006c b9fc 757a 76f2 .F.&.f...l..uzv.
0x00a0: 51bf 45d8 50ce Q.E.P.
note what follows what I'm pretty sure is SPI+SEQ in the two packets.
From NetBSD we have:
> 14df 9f91 0000 0006 (SPI+SEQ) 2900 0002
but it should be:
> 2900 a970 (i.e., next-header|flags|cpi where the CPI is below:
> 2001:db8:1:2::45 2001:db8:1:2::23
> ipcomp mode=any spi=43376(0x0000a970) reqid=16390(0x00004006)
Where as from linux we have:
> c9a6 5a98 0000 001d (SPI+SEQ) 2900 96c4
with its CPI:
src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto comp spi 0x000096c4 reqid 1 mode tunnel
>How-To-Repeat:
For reference, these are the parameters from NetBSD, hopefully the problem isn't there:
2001:db8:1:2::45 2001:db8:1:2::23
ipcomp mode=any spi=43376(0x0000a970) reqid=16390(0x00004006)
C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: May 14 15:50:22 2022 current: May 14 16:34:23 2022
diff: 2641(s) hard: 28800(s) soft: 28800(s)
last: May 14 16:31:23 2022 hard: 0(s) soft: 0(s)
current: 539(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7 hard: 0 soft: 0
sadb_seq=1 pid=1046 refcnt=0
2001:db8:1:2::45 2001:db8:1:2::23
esp mode=any spi=350199697(0x14df9f91) reqid=16389(0x00004005)
E: null
A: hmac-sha1 7f4bcd34 550b9122 c3b2592f c3e6dd2a a78aed66
seq=0x00000007 replay=64 flags=0x00000000 state=mature
created: May 14 15:50:22 2022 current: May 14 16:34:23 2022
diff: 2641(s) hard: 28800(s) soft: 28800(s)
last: May 14 16:31:23 2022 hard: 0(s) soft: 0(s)
current: 700(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7 hard: 0 soft: 0
sadb_seq=0 pid=1046 refcnt=0
2001:db8:0:1::/64[any] 2001:db8:0:2::/64[any] 255(reserved)
out ipsec
ipcomp/tunnel/2001:db8:1:2::45-2001:db8:1:2::23/require
esp/transport//require
spid=2 seq=0 pid=1053
refcnt=0
>Fix:
Don't combine IPcomp+ESP with IPv6, doing that is crazy.
Home |
Main Index |
Thread Index |
Old Index