NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/56836: IPv6 ESN tunneling IPcomp has corrupt header



>Number:         56836
>Category:       kern
>Synopsis:       IPv6 ESN tunneling IPcomp has corrupt header
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 14 18:55:00 +0000 2022
>Originator:     Andrew Cagney
>Release:        9.2
>Organization:
>Environment:
9.2
>Description:
Below are two packets received by a linux host where the peers are configured to IPsec packets with IPv6 IPcomp + ESP + IPv6

- the first was sent by netbsd; linux rejects it

12:22:02.360081 IP6 (hlim 64, next-header ESP (50) payload length: 60)
2001:db8:1:2::45 > 2001:db8:1:2::23: ESP(spi=0x14df9f91,seq=0x6),
length 60
0x0000:  1200 0064 6423 1200 0064 6445 86dd 6000  ...dd#...ddE..`.
0x0010:  0000 003c 3240 2001 0db8 0001 0002 0000  ...<2@..........
0x0020:  0000 0000 0045 2001 0db8 0001 0002 0000  .....E..........
0x0030:  0000 0000 0023 14df 9f91 0000 0006 2900  .....#........).
0x0040:  0002 4b60 0002 072b 0705 46de 1d40 1623  ..K`...+..F..@.#
0x0050:  0318 3085 40f9 4c30 7e03 834c 33d3 5306  ..0.@.L0~..L3.S.
0x0060:  b201 0001 016c 5c17 5eca c317 ec65 8e94 45e0

- the second was sent by linux, it was accepted:

14:00:41.418470 IP6 (flowlabel 0x6a92b, hlim 64, next-header ESP (50)
payload length: 112) 2001:db8:1:2::45 > 2001:db8:1:2::23:
ESP(spi=0xc9a65a98,seq=0x1d), length 112
0x0000:  1200 0064 6423 1200 0064 6445 86dd 6006  ...dd#...ddE..`.
0x0010:  a92b 0070 3240 2001 0db8 0001 0002 0000  .+.p2@..........
0x0020:  0000 0000 0045 2001 0db8 0001 0002 0000  .....E..........
0x0030:  0000 0000 0023 c9a6 5a98 0000 001d 2900  .....#..Z.....).
0x0040:  96c4 4b60 5ba9 cde0 60e5 a0c0 c8bb 8381  ..K`[...`.......
0x0050:  8181 9101 0c98 42a0 7c26 18bf 8161 df86  ......B.|&...a..
0x0060:  c0c9 0c8c 1eef ea93 4022 b5ff b9c0 3202  ........@"....2.
0x0070:  8242 c222 a262 e212 9252 d232 b272 f20a  .B.".b...R.2.r..
0x0080:  8a4a ca2a aa6a ea1a 9a5a da3a ba7a fa06  .J.*.j...Z.:.z..
0x0090:  8646 c626 a666 e600 006c b9fc 757a 76f2  .F.&.f...l..uzv.
0x00a0:  51bf 45d8 50ce                           Q.E.P.

note what follows what I'm pretty sure is SPI+SEQ in the two packets.

From NetBSD we have:

>   14df 9f91 0000 0006 (SPI+SEQ) 2900 0002

but it should be:

>   2900 a970 (i.e., next-header|flags|cpi where the CPI is below:

> 2001:db8:1:2::45 2001:db8:1:2::23
>         ipcomp mode=any spi=43376(0x0000a970) reqid=16390(0x00004006)

Where as from linux we have:

>   c9a6 5a98 0000 001d (SPI+SEQ) 2900 96c4

with its CPI:

src 2001:db8:1:2::45 dst 2001:db8:1:2::23
proto comp spi 0x000096c4 reqid 1 mode tunnel
>How-To-Repeat:
For reference, these are the parameters from NetBSD, hopefully the problem isn't there:

2001:db8:1:2::45 2001:db8:1:2::23
        ipcomp mode=any spi=43376(0x0000a970) reqid=16390(0x00004006)
        C: deflate      seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: May 14 15:50:22 2022   current: May 14 16:34:23 2022
        diff: 2641(s)   hard: 28800(s)  soft: 28800(s)
        last: May 14 16:31:23 2022      hard: 0(s)      soft: 0(s)
        current: 539(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 7    hard: 0 soft: 0
        sadb_seq=1 pid=1046 refcnt=0
2001:db8:1:2::45 2001:db8:1:2::23
        esp mode=any spi=350199697(0x14df9f91) reqid=16389(0x00004005)
        E: null
        A: hmac-sha1  7f4bcd34 550b9122 c3b2592f c3e6dd2a a78aed66
        seq=0x00000007 replay=64 flags=0x00000000 state=mature
        created: May 14 15:50:22 2022   current: May 14 16:34:23 2022
        diff: 2641(s)   hard: 28800(s)  soft: 28800(s)
        last: May 14 16:31:23 2022      hard: 0(s)      soft: 0(s)
        current: 700(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 7    hard: 0 soft: 0
        sadb_seq=0 pid=1046 refcnt=0

2001:db8:0:1::/64[any] 2001:db8:0:2::/64[any] 255(reserved)
        out ipsec
        ipcomp/tunnel/2001:db8:1:2::45-2001:db8:1:2::23/require
        esp/transport//require
        spid=2 seq=0 pid=1053
        refcnt=0
>Fix:
Don't combine IPcomp+ESP with IPv6, doing that is crazy.



Home | Main Index | Thread Index | Old Index