netbsd-bugs: kern/20389: TCP over IPSec broken

Subject: kern/20389: TCP over IPSec broken
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Scheler <tron@colwyn.zhadum.de>
List: netbsd-bugs
Date: 02/17/2003 15:43:25
>Number:         20389
>Category:       kern
>Synopsis:       TCP over IPSec broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 17 06:44:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6N (2003-02-16 sources)
>Organization:
Matthias Scheler                                  http://scheler.de/~matthias/
>Environment:
System: NetBSD bundy 1.6N NetBSD 1.6N (BUNDY) #0: Mon Feb 17 15:04:56 CET 2003     root@bundy:/usr/src/sys/arch/i386/compile/BUNDY i386
Architecture: i386
Machine: i386

>Description:
Mario Kemper (magick@netbsd.org) and I have set up a tunnel with gif(4)
interfaces and run IPSec in AH+ESP mode over it (yes, he have good reasons
not to use IPSec tunnels). His system is running NetBSD 1.6N compiled
from yesterday's sources, mine is running NetBSD 1.6.1_RC1.

The tunnel ...
... works fine with "ping" in both directions.
... works fine with "ftp" in both directions.
... works with large e-mails if the NetBSD 1.6.1_RC1 system is the sender.
... *fails* for large e-mails  if the NetBSD 1.6N system is the sender.

Here is a "ktruss" output of what's happening:

  5299 sendmail write(0x6, 0x80fc800, 0x400)       = 1024
       "Received: (from magick@localhost)\r\n\tby bundy.zhadum.de (8.11.6/8.1"
  5299 sendmail write(0x6, 0x80fc800, 0x400)       = 1024
       "CQAAAABgAAAAQAAAAEAAAA\r\nDAEAAAyBBAgMgQQIMAAAADAAAAAEAAAABAAAAC91c3I"
  5299 sendmail write(0x6, 0x80fc800, 0x400)       Err#40 EMSGSIZE
  5299 sendmail write(0x6, 0x80fc800, 0x48)        = 72

So sendmail(8) is trying to send 1024 bytes on the socket connected to
the remote system and gets an EMSGSIZE. That should *never* happen on
a TCP connection. Some part of the network stack is reporting such
errors back to the application instead of dealing with them.

>How-To-Repeat:
Try to send a large e-mail with sendmail(8) over an IPSec connection with
a NetBSD-current system on the sender side.

>Fix:
There are two ways to avoid the problem:
1.) Disabling IPSec.
2.) Using a MTU of 1408 bytes on the NetBSD 1.6N system and a MTU of
    1280 bytes on the NetBSD 1.6.1_RC1 system. It doesn't work if
    both systems use 1408 bytes.
>Release-Note:
>Audit-Trail:
>Unformatted: