Subject: kern/13807: mbuf leakage when running NFS over IPSEC
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 08/28/2001 11:15:28
>Synopsis: the kernel allocates mbufs that are never freed when running NFS over IPSEC
>Arrival-Date: Tue Aug 28 02:12:00 PDT 2001
>Originator: Michael van Elst
>Release: NetBSD 1.5.1
System: NetBSD pepew 1.5.2_ALPHA NetBSD 1.5.2_ALPHA (PEPEW) #7: Sun Aug 26 21:58:01 MEST 2001 src@pepew:/amd/fud/d/0/src/sys/arch/i386/compile/PEPEW i386
A NetBSD-1.5-branch NFS client (pepew) mounts the /usr/pkgsrc directory
from a NetBSD-1.5-release NFS server (fud). Both hosts run IPSEC
(AH only, no ESP). The amd automounter is used to mount the server.
Any kind of NFS access to the server causes additional mbufs to be
allocated on the client that are never freed. When the client system
runs out of memory it panics somewhere in the kernel.
vmstat -m reports an always increasing number of allocations in the
This happens with UDP and TCP mounts.
It does not happen without IPSEC.
It is not caused by other network activity (like scp) between both hosts.
Changing the period of IKE renegotiations in racoon.conf with the
'lifetime' option does not change behaviour significantly.
# talk ipsec with fud
spdadd IP-OF-PEER 0.0.0.0/0 any
-P in ipsec ah/transport//require;
spdadd 0.0.0.0/0 IP-OF-PEER any
-P out ipsec ah/transport//require;
# $KAME: racoon.conf.sample,v 1.24 2001/05/24 06:43:25 sakane Exp $
# "path" affects "include" directive. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/etc/racoon" ;
#include "remote.conf" ;
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/pkg/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
my_identifier fqdn "pepew.1st.de";
#certificate_type x509 "firstname.lastname@example.org" "email@example.com" ;
lifetime time 24 hour ; # sec,min,hour
#initial_contact off ;
#passive on ;
# phase 1 proposal (for ISAKMP SA)
authentication_method pre_shared_key ;
dh_group 2 ;
# the configuration makes racoon (as a responder) to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
lifetime time 12 hour ;
lifetime byte 250 MB ;
encryption_algorithm 3des, cast128, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
mount a filesystem from an NFS server.
Watch vmstat -m show growing numbers for mbpl