NetBSD Problem Report #44463

From  Wed Jan 26 10:31:12 2011
Return-Path: <>
Received: from ( [])
	by (Postfix) with ESMTP id 3B4C763B873
	for <>; Wed, 26 Jan 2011 10:31:12 +0000 (UTC)
Message-Id: <>
Date: Wed, 26 Jan 2011 11:31:02 +0100 (CET)
Subject: FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets
X-Send-Pr-Version: 3.95

>Number:         44463
>Category:       kern
>Synopsis:       FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 26 10:35:00 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
Dr. Nagler & Company GmbH

System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
	For the IPSEC implementation the M_DECRYPTED flag is set in both cases (ESP and IPCOMP)
	if a packet is processed.
	This flag is used in /usr/src/sys/netinet/ip_icmp.c (line 246) to avoid sending an icmp error packet.

	In the FAST_IPSEC implementation this flag is only set after ESP processing.
	So if you setup an IPCOMP-only-tunnel, icmp error packets may be generated for the decrypted packet.

	Accedently the M_DECRYPTED flag is used in /usr/src/sys/netipsec/ipsec.c function ipsec_in_reject()
	to detect if a packet has been sucessfully processed by ESP. So this flag cannot be used
	for IPCOMP too in FAST_IPSEC.
	Found by a look into the sources.
	I think another flag (e.g. M_IPCOMP_DONE 0x100000) is needed in the set of mbuf-flags, but I'm not shure
	if this is OK. Therefore I've adde no patch up to now.
	This flag should be added to M_COPYFLAGS and M_FLAGS_BITS too - as far as I understand the mbuf processing.

	I this flag is added, it must be checked in ip_icmp.c (line 246) too and set after IPCOMP processing is done
	int /usr/src/sys/netipsec/xform_ipcomp.c function ipcomp_input_cb() prior the call to the macro IPSEC_COMMON_INPUT_CB().
	This would introduce the same semantics in FAST_IPSEC as in IPSEC.
	The flag may be used in the IPSEC part too, but it is not nessesary for the functionality.


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.