Subject: kern/13807: mbuf leakage when running NFS over IPSEC
To: None <>
From: None <>
List: netbsd-bugs
Date: 08/28/2001 11:15:28
>Number:         13807
>Category:       kern
>Synopsis:       the kernel allocates mbufs that are never freed when running NFS over IPSEC
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 28 02:12:00 PDT 2001
>Originator:     Michael van Elst
>Release:        NetBSD 1.5.1
System: NetBSD pepew 1.5.2_ALPHA NetBSD 1.5.2_ALPHA (PEPEW) #7: Sun Aug 26 21:58:01 MEST 2001 src@pepew:/amd/fud/d/0/src/sys/arch/i386/compile/PEPEW i386


A NetBSD-1.5-branch NFS client (pepew) mounts the /usr/pkgsrc directory
from a NetBSD-1.5-release NFS server (fud). Both hosts run IPSEC
(AH only, no ESP). The amd automounter is used to mount the server.

Any kind of NFS access to the server causes additional mbufs to be
allocated on the client that are never freed. When the client system
runs out of memory it panics somewhere in the kernel.

vmstat -m reports an always increasing number of allocations in the
mbpl pool.

This happens with UDP and TCP mounts.

It does not happen without IPSEC.

It is not caused by other network activity (like scp) between both hosts.

Changing the period of IKE renegotiations in racoon.conf with the
'lifetime' option does not change behaviour significantly.


configure IPSEC:

# talk ipsec with fud
spdadd IP-OF-PEER any
        -P in  ipsec ah/transport//require;
spdadd IP-OF-PEER any
        -P out ipsec ah/transport//require;

# $KAME: racoon.conf.sample,v 1.24 2001/05/24 06:43:25 sakane Exp $

# "path" affects "include" directive.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/etc/racoon" ;
#include "remote.conf" ;

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/pkg/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

remote anonymous
        #exchange_mode main,aggressive,base;
        exchange_mode aggressive,main,base;

        my_identifier fqdn "";
        #certificate_type x509 "" "" ;

        lifetime time 24 hour ; # sec,min,hour

        #initial_contact off ;
        #passive on ;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;

        # the configuration makes racoon (as a responder) to obey the
        # initiator's lifetime and PFS group proposal.
        # this makes testing so much easier.
        #proposal_check obey;

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
        pfs_group 2;
        lifetime time 12 hour ;
        lifetime byte 250 MB ;
        encryption_algorithm 3des, cast128, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;


mount a filesystem from an NFS server.

Watch vmstat -m show growing numbers for mbpl