Subject: kern/30182: With FAST_IPSEC option, some IPSEC stats aren't updated (setkey -D)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <groy@qnx.com>
List: netbsd-bugs
Date: 05/09/2005 17:40:00
>Number: 30182
>Category: kern
>Synopsis: With FAST_IPSEC option, some IPSEC stats aren't updated (setkey -D)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 09 17:40:00 +0000 2005
>Originator: Gilles Roy
>Release: 2.0
>Organization:
QNX Software Systems
>Environment:
NetBSD 2.0 (standard release, but recompiled kernel with FAST_IPSEC) i386 platform.
>Description:
It looks like some of the SA stats aren't being updated. When I configure transport mode encryption between two machines and ping between them, setkey -D will display my two SAs, but the stats for the outoing SA don't get updated (i.e. the bytes field and the allocated field never get incremented). They do get incremented for the incoming SA.
This only occurs with the FAST_IPSEC option (it works OK when using IPSEC).
>How-To-Repeat:
1. Take generic kernel config and add FAST_IPSEC.
2. Configure simple transport mode encryption (see setkey options below, mirror spdadd lines for second host)
---------- Setkey --------------
flush;
spdflush;
# ESP
add 10.100.100.6 10.100.100.8 esp 1234 -E 3des-cbc "123456789012123456789012";
add 10.100.100.8 10.100.100.6 esp 4321 -E 3des-cbc "123456789012123456789012";
spdadd 10.100.100.8 10.100.100.6 any -P out ipsec
esp/transport//require;
spdadd 10.100.100.6 10.100.100.8 any -P in ipsec
esp/transport//require;
----------------------------------
3. ping -n peer IP
4. setkey -D to see stats.
>Fix: