Subject: TCP_SIGNATURE (rfc2385) panics and problems
To: None <tech-net@netbsd.org>
From: Jeff Rizzo <riz@boogers.sf.ca.us>
List: tech-net
Date: 05/22/2004 18:11:44
So, I've only just found the time to start playing with the new RFC2385
code (thanks a TON for porting it to Jonathan Stone), and, naturally
there are some problems.  I'm using Bruce M. Simpson's patches to
quagga 0.96.4, and attempting to peer with a Cisco router.  For those
interested, his patches to quagga are here:
http://people.freebsd.org/~bms/dump/quagga-tcpmd5/

The first problem, and the simplest, is that the kernel won't compile with
both TCP_SIGNATURE and FAST_IPSEC defined because of a very simple
thing - I've sent a patch as kern/25679.  (There's an unused variable)

More problematic is that if I add a password to a BGP session in
quagga without the SA set up beforehand, when quagga tries to establish
the TCP session, the kernel panics:

panic: key_freesav: NULL pointer is passed.
Stopped at      netbsd:cpu_Debugger+0x4:        leave
db{0}> trace
cpu_Debugger(0,caaab05e,cac3cb80,0,0) at netbsd:cpu_Debugger+0x4
panic(c073e780,caaab05e,cac3cbe0,c013a10b,0) at netbsd:panic+0x11d
key_freesav(0,caaab034,0,0,caaab04e) at netbsd:key_freesav+0x65
tcp_dooptions(cac3cc38,caaab048,2,caaab034,c148f200) at netbsd:tcp_dooptions+0x1
9b
syn_cache_add(cac3ce78,cac3ce58,caaab034,0,c147aed8) at netbsd:syn_cache_add+0xb
7
tcp_input(c148f200,14,6,1a,40100) at netbsd:tcp_input+0x2862
ip_input(c148f200,400042,0,7,0) at netbsd:ip_input+0x5a9
ipintr(10,30,c0810010,cac30010,cac39000) at netbsd:ipintr+0x7c
DDB lost frame for netbsd:Xsoftnet+0x48, trying 0xcac3cf58
Xsoftnet() at netbsd:Xsoftnet+0x48
--- interrupt ---
0x246:
db{0}>

A quick look in the tcp_dooptions() code shows that there are a few
places where key_freesav() is passed a pointer that might be NULL
if the SA isn't established; I'm not sure of the best way to handle
these.  It definitely seems suboptimal to panic, but I'm not familiar
enough with the code to suggest how to avoid it.

Once I've added the SA lines to the SAD, the panics go away, but I
have yet to establish a BGP session between my netbsd box and the cisco.
The cisco sees the MD5 digest, but doesn't like it:

May 23 01:08:30.205 UTC: %TCP-6-BADAUTH: Invalid MD5 digest from 10.0.0.100:65533 to 10.0.0.99:179

Which is different than when there's no digest at all:

May 23 01:02:49.501 UTC: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.100:179 to 10.0.0.99:11087 (RST)


My ipsec.conf looks like this:

add -4 10.0.0.100 10.0.0.99 tcp 0x1000 -A tcp-md5 "foobar" ;
add -4 10.0.0.99 10.0.0.100 tcp 0x1000 -A tcp-md5 "foobar" ;

... and the same pw is used on the Cisco side.  I'm happy to try
anything anyone wishes to recommend at this point...

Thanks!

+j

-- 
Jeff Rizzo                                         http://boogers.sf.ca.us/~riz