Subject: FAST_IPSEC on architectures with alignment constraints?
To: None <tech-net@netbsd.org>
From: Nathan J. Williams <nathanw@wasabisystems.com>
List: tech-net
Date: 04/23/2005 23:18:30
I tried FAST_IPSEC on my Mac G4 today, as a prelude to testing some
crypto-accelerating hardware (not yet installed or configured in this
machine). However, I kept tripping over this crash, usually when
running nttcp:

panic: kernel diagnostic assertion "TCP_HDR_ALIGNED_P(th)" failed: file "../../../../netinet/tcp_input.c", line 1035
Stopped in pid 2.1 (cryptoret) at       netbsd:cpu_Debugger+0x18:       lwz     r
11, r1, 0x0
db> t
0xd5243b50: at panic+0x174
0xd5243bf0: at __assert+0x3c
0xd5243c20: at tcp_input+0x22e8
0xd5243d80: at ip_input+0x640
0xd5243dd0: at ipintr+0x80
0xd5243e00: at softintr__run+0xa8
0xd5243e20: at do_pending_int+0x1ec
0xd5243e60: at splx+0x40
0xd5243e70: at esp_input_cb+0x420
0xd5243ef0: at cryptoret+0x188
0xd5243f40: at cpu_switchto+0x44
0xd5243f50: at ADBDevTable+0xffb49c08
db> 

The most reliable way to cause this crash was to set the MTU of the
machine's interface to a larger-than-default value, such as 3000 or
9000, but I believe I saw it at least once with a MTU of 1500.

The network interface was:

wm0 at pci1 dev 4 function 0: Intel i82545GM 1000BASE-T Ethernet, rev. 4
wm0: interrupting at irq 25
wm0: Ethernet address 00:04:23:b2:30:90
makphy0 at wm0 phy 1: Marvell 88E1011 Gigabit PHY, rev. 5
makphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto

configured as:

# ifconfig wm0
wm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 3000
        capabilities=87<IP4CSUM,TCP4CSUM,UDP4CSUM,TSO4>
        enabled=0
        address: 00:04:23:b2:30:90
        media: Ethernet autoselect (1000baseT full-duplex,flowcontrol,rxpause,txpause)
        status: active
        inet 10.1.0.15 netmask 0xffffff00 broadcast 10.1.0.255

The /etc/ipsec.conf contents, fed to setkey -c:

add 10.1.0.15 10.1.0.5 esp 1234 -E rijndael-cbc 0x79d06d135aadaba411ee0663fbcf969bc0137e91b0677e39;
add 10.1.0.5 10.1.0.15 esp 1235 -E rijndael-cbc 0x92a933b4621cd5599d53834bdf3012d22cf460f8589f7166;
add 10.1.0.15 10.1.0.5 ah  1301 -A hmac-md5 0x04dd379e613aa9342bf8a7534198c0b1;
add 10.1.0.5 10.1.0.15 ah  1302 -A hmac-md5 0x2bf8a7534198c0b104dd379e613aa934;
spdadd 10.1.0.15 10.1.0.5 any -P out ipsec esp/transport//use ah/transport//use;

Has anyone else tried FAST_IPSEC on an architecture with strict
alignment requirements (not i386, amd64, or vax) with success?

        - Nathan