Re: IPsec: stack problems

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 01/03/2018 à 09:43, Joerg Sonnenberger a écrit :
> On Thu, Mar 01, 2018 at 07:31:13AM +0100, Maxime Villard wrote:
> > I'm a little concerned about the stack usage in the IPsec code. Note that what
> > I'm talking about here occurs _after_ authentication.
>
> I think that is a known design issue of the IPsec code. FreeBSD has been
> talking about similar issues for years, too.
>
> > Typically, when an IPv4-AH packet is received, the code path is:
> >
> > 	ip_input
> > 	(*pr_input) = ipsec_common_input
> > 	ah_input
> > 	crypto_dispatch
> > 	[several crypto functions are called]
> > 	ah_input_cb
> > 	ipsec4_common_input_cb
> > 	(*pr_input) = depends on the packet
>
> I wonder if the best appoach wouldn't be to cut the stack at this point
> and defer the packet back to a netisr.

Frank Kardel suggested the same thing (in an off-list email), here's my
answer to him. Basically I'm not sure if it breaks assumptions deep in the
opencrypto code.

Maxime



-------- Message transféré --------
Sujet : Re: IPsec: stack problems
Date : Thu, 1 Mar 2018 08:02:07 +0100
De : Maxime Villard <max%m00nbsd.net@localhost>
Pour : Frank Kardel <kardel%kardel.name@localhost>

Le 01/03/2018 à 07:45, Frank Kardel a écrit :
> [...]

In fact, the crypto code was written with the assumption that when
crypto_dispatch returns, there is no further crypto processing.

If the packet is repushed, this assumption does not hold anymore, and I'm not
sure whether it wouldn't break things.

But otherwise yes, it would be nice to repush the packet.

Maxime