Re: IPv6 + tunnel + ESP + IPcomp?

To: Michael Richardson <mcr%sandelman.ca@localhost>
Subject: Re: IPv6 + tunnel + ESP + IPcomp?
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Sat, 14 May 2022 14:17:37 -0400

(Michael, your e-mail was hiding in spam)

Here's what arrived on the peer with esp=null-sha1 (so it should be readable):

The set up is:

2001:db8:0:1::254 -> 2001:db8:1:2::45 -<IPcomp+ESP>- 2001:db8:1:2::23
- 2001:db8:0:2::254

The ping command used was:
fping -n --retry 0 --timeout 5s  --ipv6 --src 2001:db8:0:1::254
2001:db8:0:2::254

and the other end saw this packet:

12:22:02.360081 IP6 (hlim 64, next-header ESP (50) payload length: 60)
2001:db8:1:2::45 > 2001:db8:1:2::23: ESP(spi=0x14df9f91,seq=0x6),
length 60
0x0000:  1200 0064 6423 1200 0064 6445 86dd 6000  ...dd#...ddE..`.
0x0010:  0000 003c 3240 2001 0db8 0001 0002 0000  ...<2@..........
0x0020:  0000 0000 0045 2001 0db8 0001 0002 0000  .....E..........
0x0030:  0000 0000 0023 14df 9f91 0000 0006 2900  .....#........).
0x0040:  0002 4b60 0002 072b 0705 46de 1d40 1623  ..K`...+..F..@.#
0x0050:  0318 3085 40f9 4c30 7e03 834c 33d3 5306  ..0.@.L0~..L3.S.
0x0060:  b201 0001 016c 5c17 5eca c317 ec65 8e94 45e0

here's a similar packet (it used ping, not fping) between two linux nodes:

14:00:41.418470 IP6 (flowlabel 0x6a92b, hlim 64, next-header ESP (50)
payload length: 112) 2001:db8:1:2::45 > 2001:db8:1:2::23:
ESP(spi=0xc9a65a98,seq=0x1d), length 112
0x0000:  1200 0064 6423 1200 0064 6445 86dd 6006  ...dd#...ddE..`.
0x0010:  a92b 0070 3240 2001 0db8 0001 0002 0000  .+.p2@..........
0x0020:  0000 0000 0045 2001 0db8 0001 0002 0000  .....E..........
0x0030:  0000 0000 0023 c9a6 5a98 0000 001d 2900  .....#..Z.....).
0x0040:  96c4 4b60 5ba9 cde0 60e5 a0c0 c8bb 8381  ..K`[...`.......
0x0050:  8181 9101 0c98 42a0 7c26 18bf 8161 df86  ......B.|&...a..
0x0060:  c0c9 0c8c 1eef ea93 4022 b5ff b9c0 3202  ........@"....2.
0x0070:  8242 c222 a262 e212 9252 d232 b272 f20a  .B.".b...R.2.r..
0x0080:  8a4a ca2a aa6a ea1a 9a5a da3a ba7a fa06  .J.*.j...Z.:.z..
0x0090:  8646 c626 a666 e600 006c b9fc 757a 76f2  .F.&.f...l..uzv.
0x00a0:  51bf 45d8 50ce                           Q.E.P.

note what follows what I'm pretty sure is SPI+SEQ in the two packets:
  14df 9f91 0000 0006 (SPI+SEQ) 2900 0002
  c9a6 5a98 0000 001d (SPI+SEQ) 2900 96c4

for reference, here's the SADB/SPD entries for outgoing on NetBSD the
current: byte counts would suggest the packet is being both compressed
and encrypted
(I filed about about that being silly, I don't see signs of ESN - another bug):

2001:db8:1:2::45 2001:db8:1:2::23
        ipcomp mode=any spi=43376(0x0000a970) reqid=16390(0x00004006)
        C: deflate      seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: May 14 15:50:22 2022   current: May 14 16:34:23 2022
        diff: 2641(s)   hard: 28800(s)  soft: 28800(s)
        last: May 14 16:31:23 2022      hard: 0(s)      soft: 0(s)
        current: 539(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 7    hard: 0 soft: 0
        sadb_seq=1 pid=1046 refcnt=0
2001:db8:1:2::45 2001:db8:1:2::23
        esp mode=any spi=350199697(0x14df9f91) reqid=16389(0x00004005)
        E: null
        A: hmac-sha1  7f4bcd34 550b9122 c3b2592f c3e6dd2a a78aed66
        seq=0x00000007 replay=64 flags=0x00000000 state=mature
        created: May 14 15:50:22 2022   current: May 14 16:34:23 2022
        diff: 2641(s)   hard: 28800(s)  soft: 28800(s)
        last: May 14 16:31:23 2022      hard: 0(s)      soft: 0(s)
        current: 700(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 7    hard: 0 soft: 0
        sadb_seq=0 pid=1046 refcnt=0

2001:db8:0:1::/64[any] 2001:db8:0:2::/64[any] 255(reserved)
        out ipsec
        ipcomp/tunnel/2001:db8:1:2::45-2001:db8:1:2::23/require
        esp/transport//require
        spid=2 seq=0 pid=1053
        refcnt=0

and the corresponding incoming state/policy on linux:

src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto esp spi 0x14df9f91 reqid 16389 mode transport
replay-window 0
auth-trunc hmac(sha1) 0x7f4bcd34550b9122c3b2592fc3e6dd2aa78aed66 96
enc ecb(cipher_null)
anti-replay esn context:
seq-hi 0x0, seq 0x7, oseq-hi 0x0, oseq 0x0
replay_window 64, bitmap-length 2
00000000 0000007f
sel src ::/0 dst ::/0

src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto comp spi 0x0000a970 reqid 16390 mode tunnel
replay-window 0 flag af-unspec
comp deflate
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto 41 spi 0x00000002 reqid 0 mode tunnel
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 2001:db8:0:1::/64 dst 2001:db8:0:2::/64
dir fwd priority 1736833 ptype main
tmpl src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto comp reqid 16390 mode tunnel
level use
tmpl src :: dst ::
proto esp reqid 16389 mode transport
src 2001:db8:0:1::/64 dst 2001:db8:0:2::/64
dir in priority 1736833 ptype main
tmpl src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto comp reqid 16390 mode tunnel
level use
tmpl src :: dst ::
proto esp reqid 16389 mode transport

Looking at xfrm_stats, each packet increments this:
XfrmInNoStates          7
which is described as No state is found i.e. Either inbound SPI,
address, or IPsec protocol at SA is wrong

Follow-Ups:
- Re: IPv6 + tunnel + ESP + IPcomp?
  - From: Michael Richardson
- Re: IPv6 + tunnel + ESP + IPcomp?
  - From: Andrew Cagney

References:
- IPv6 + tunnel + ESP + IPcomp?
  - From: Andrew Cagney
- Re: IPv6 + tunnel + ESP + IPcomp?
  - From: Andy Ruhl
- Re: IPv6 + tunnel + ESP + IPcomp?
  - From: Andrew Cagney
- Re: IPv6 + tunnel + ESP + IPcomp?
  - From: Michael Richardson

Prev by Date: Re: IPv6 + tunnel + ESP + IPcomp?
Next by Date: Re: IPv6 + tunnel + ESP + IPcomp?
Previous by Thread: Re: IPv6 + tunnel + ESP + IPcomp?
Next by Thread: Re: IPv6 + tunnel + ESP + IPcomp?
Indexes:

Home | Main Index | Thread Index | Old Index