NetBSD Problem Report #56833

From www@netbsd.org  Sat May 14 13:17:54 2022
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 480E31A921F
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 14 May 2022 13:17:54 +0000 (UTC)
Message-Id: <20220514131752.423661A923C@mollari.NetBSD.org>
Date: Sat, 14 May 2022 13:17:52 +0000 (UTC)
From: andrew.cagney@gmail.com
Reply-To: andrew.cagney@gmail.com
To: gnats-bugs@NetBSD.org
Subject: SADB_UPDATE doesn't update the mode
X-Send-Pr-Version: www-1.0

>Number:         56833
>Category:       kern
>Synopsis:       SADB_UPDATE doesn't update the mode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 14 13:20:00 +0000 2022
>Originator:     Andrew Cagney
>Release:        9.2
>Organization:
>Environment:
NetBSD netbsdw 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
Given a kernel state (SPDB) entry allocated using SPDB_GETSPI updating it doesn't update the mode.

But why would the mode change?

Initiator proposes:
   IPcomp+ESP+tunnel
which means it could tentatively allocate (using SPDB_GETSPI):
   IPcomp SPI + tunnel
   ESP SPI + transport
(it could also ask for +any) and sends that to the responder.
The respoonder then rejects IPcomp and instead establishes just:
   ESP+tunnel
so now the initiator, gets to delete the IPcomp entry (or let it expire) and update the ESP entry to tunnel mode.

I should note that it looks like NetBSD ignores the mode on SPDB entries.  For instance, using IPv4, I found when the code asks for:
   IPcomp SPI + tunnel
   ESP SPI + tunnel
and then tries to update things to:
   IPcomp SPI + tunnel
   ESP SPI + transport
the ESP entries' mode is left as tunnel yet (small) packets still interop.

>How-To-Repeat:
Below is with IPv6, it also applies to IPv4

getspi  2001:db8:1:2::23 2001:db8:1:2::45 esp 0 ; dump ;
2001:db8:1:2::23 2001:db8:1:2::45 
        esp mode=any spi=182168845(0x0adbad0d) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=0 pid=1486 refcnt=0
update 2001:db8:1:2::23 2001:db8:1:2::45 esp 182168845  -m transport -E rijndael-cbc "aaaaaaaaaaaaaaaa"; dump;
2001:db8:1:2::23 2001:db8:1:2::45 
        esp mode=any spi=182168845(0x0adbad0d) reqid=0(0x00000000)
        E: aes-cbc  61616161 61616161 61616161 61616161
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: May 14 12:45:40 2022   current: May 14 12:45:40 2022
        diff: 0(s)      hard: 0(s)      soft: 0(s)
        last: May 14 02:59:20 2022      hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=1486 refcnt=0

>Fix:
Workaround is to just leave the mode=any

(bigger problem is a lack of a pointer (ID) from the SPD's rule to the SADB)

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.