NetBSD Problem Report #52161
From www@NetBSD.org Fri Apr 14 03:21:58 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6B2C57A283
for <gnats-bugs@gnats.NetBSD.org>; Fri, 14 Apr 2017 03:21:58 +0000 (UTC)
Message-Id: <20170414032156.463DD7A2B3@mollari.NetBSD.org>
Date: Fri, 14 Apr 2017 03:21:56 +0000 (UTC)
From: ozaki-r@netbsd.org
Reply-To: ozaki-r@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: ipsec: tunnel mode with AH over IPv6 doesn't work
X-Send-Pr-Version: www-1.0
>Number: 52161
>Category: kern
>Synopsis: ipsec: tunnel mode with AH over IPv6 doesn't work
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 14 03:25:00 +0000 2017
>Closed-Date: Thu Feb 15 15:13:59 +0000 2018
>Last-Modified: Thu Feb 15 15:13:59 +0000 2018
>Originator: Ryota Ozaki
>Release: -current
>Organization:
IIJ
>Environment:
NetBSD 7.99.69 (RUMP-ROAST)
on
NetBSD rangeley 7.99.66 NetBSD 7.99.66 (RANGELEY) #68: Thu Mar 16 12:44:31 JST 2017 ozaki-r@rangeley:(hidden) amd64
>Description:
IPsec doesn't work with the tunnel mode with AH over IPv6. The Tx side of
a tunnel successfully sends a packet with AH header however the Rx side
of the tunnel fails to receive the packet:
ah_input: authentication hash mismatch over 20 bytes for packet in SA fc00::2/00002710:
4940:a796:6f38:752b:8602:f2fa, 6523:ec6b:c941:bcf1:1ae2:3460
Only null algorithm on the setups works so something goes wrong on
hash calculations of the Tx or Rx (or both).
Note that the tunnel mode with AH over IPv4 works,
the tunnel mode with ESP over IPv6 works and
the transport mode with AH over IPv6 works.
>How-To-Repeat:
Run t_ipsec_tunnel (tests/net/ipsec/t_ipsec_tunnel.sh)
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: src/tests/net/ipsec
Date: Fri, 14 Apr 2017 03:35:40 +0000
Module Name: src
Committed By: ozaki-r
Date: Fri Apr 14 03:35:40 UTC 2017
Modified Files:
src/tests/net/ipsec: t_ipsec_tunnel.sh
Log Message:
Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: src/sys/netipsec
Date: Fri, 14 Apr 2017 18:35:05 -0400
Module Name: src
Committed By: christos
Date: Fri Apr 14 22:35:05 UTC 2017
Modified Files:
src/sys/netipsec: xform_ipip.c
Log Message:
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: src/tests/net/ipsec
Date: Sun, 16 Apr 2017 10:34:49 +0000
Module Name: src
Committed By: ozaki-r
Date: Sun Apr 16 10:34:49 UTC 2017
Modified Files:
src/tests/net/ipsec: t_ipsec_tunnel.sh
Log Message:
Revert "Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)"
The issue was fixed by christos@
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_tunnel.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 12 Feb 2018 13:16:51 +0000
State-Changed-Why:
I've sent pullups
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-7] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:39:43 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:39:43 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-7]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1567):
sys/netipsec/xform_ipip.c: revision 1.44
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.31.2.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-7-1] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:41:57 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:41:57 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-7-1]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1567):
sys/netipsec/xform_ipip.c: revision 1.44
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.31.10.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-7-0] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:43:13 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:43:12 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-7-0]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1567):
sys/netipsec/xform_ipip.c: revision 1.44
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.31.6.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-6] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:49:00 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:49:00 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-6]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-6-1] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:50:17 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:50:17 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52161 CVS commit: [netbsd-6-0] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:51:44 +0000
Module Name: src
Committed By: martin
Date: Thu Feb 15 14:51:44 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-6-0]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch
PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.14.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Thu, 15 Feb 2018 15:13:59 +0000
State-Changed-Why:
pulled up in [NetBSD-6#1529] and [NetBSD-7#1567]
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.