| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4628AEFA.2010604@miyazawa.org>
Date: Fri, 20 Apr 2007 21:15:54 +0900
From: Kazunori Miyazawa <kazunori@...azawa.org>
To: Diego Beltrami <Diego.Beltrami@...t.fi>
CC: netdev@...r.kernel.org, kaber@...sh.net,
herbert@...dor.apana.org.au, yoshfuji@...ux-ipv6.org, miika@....fi
Subject: Re: ESP interfamily tunnel bug?
Hi Diego,
I was probably misunderstanding your problem.
Ok, I used two machines, which were connected to different networks.
My topology was
[Host1]----[Router]-----[Host2]
I configured Host1 and Host2 to communicate by using IPv6 over IPv4 IPsec
ESP tunnel mode. And they could communicate with each other.
I have never had "netowrk unreachable".
I used ping6 for the test.
The kernel of Host1 was net-2.6 and the kernel of Host2 was linux-2.6.
I also tested with dummy adevice and a virtual address.
Host1 and Host2 had different addresses whose prefixes did not equal
to one in router advertisement they received.
I succeeded the test. Those hosts could communicate.
So, I could not reproduce the bug.
Best regards,
Diego Beltrami wrote:
> On Thu, 19 Apr 2007, Kazunori MIYAZAWA wrote:
>
>> I'm using a machine and a dummy device.
>> So I'm using loopback communication.
>> Yes, the backtrace is correct.
>>
>> I thought you used loopback communication to test the modes
>> because your configuration showed that the dummy device has
>> some addresses and you did ping from the address to the other
>> address.
>>
>> Is not right? Did you use two or more hosts?
>
> If we understood you correctly, you are using a single machine? If yes, we
> can repeat your problem too. There is something wrong with the
> loopback, XFRM (and interfamily).
>
> However, we were describing a different problem. We were using two
> separate machines that were in different networks.
>
>> I do not have enough environment to test today.
>> I'll test it with a couple of machines tomorrow.
>>
>> Diego Beltrami wrote:
>>> Hi Kazunori,
>>> thanks for reply.
>>>
>>> In your backtrace I see that there are both input and output functions
>>> calls. Is
>>> it the right way?
>>>
>>> One more thing, were your two hosts you used located on the same network?
>>> In fact it seems that if the machines are on the same network, this bug
>>> doesn't
>>> manifest.
>>>
>>> Thanks,
>>>
>>> Diego
>>>
>>>
>>>> Hello Diego,
>>>>
>>>> I tried to reproduce the bug. But I got a panic of the kernel :-<
>>>> I'm using current net-2.6.
>>>>
>>>> I suspect that some special routing for loopback is related
>>>> because I checked with kdb and got the backtrace like
>>>>
>>>> fib_sync_down
>>>> ipv6_rcv
>>>> netif_receive_skb
>>>> __mod_timer
>>>> net_rx_action
>>>> __do_softirq
>>>> do_softirq
>>>> local_bh_enable
>>>> dev_queue_xmit
>>>> neigh_resolve_output
>>>> ip_output
>>>> xfrm4_output_finish
>>>> xfrm4_output
>>>> ip_generic_getfrag
>>>> ip6_push_pending_frames
>>>>
>>>> I think ip_rcv or some IPv4 function should be called between
>>>> netif_receive_skb
>>>> and ipv6_rcv.
>>>>
>>>> Anyway I could not classify the way to make a panic.
>>>> I'll trace it.
>>>>
>>>> Thank you,
>>>>
>>>> Diego Beltrami wrote:
>>>>> Hi,
>>>>>
>>>>> we have discovered a routing related problem in ESP tunnel and beet mode.
>>>>> We don't know whether it is a bug in the XFRM, or just in the way the
>>>>> virtual addresses and the corresponding routes are set-up. We set up a
>>>>> dummy0 device for the virtual addresses:
>>>>>
>>>>> root@...ong:~# ip addr show dummy0
>>>>> 5: dummy0: <BROADCAST,NOARP,UP,10000> mtu 1500 qdisc noqueue
>>>>> link/ether 92:09:fe:11:81:1b brd ff:ff:ff:ff:ff:ff
>>>>> inet6 2001:72:e6d3:1cf3:e11d:5bb0:b99:e85e/28 scope global
>>>>> valid_lft forever preferred_lft forever
>>>>> inet6 2001:74:32e0:df36:e862:3963:523e:dd7d/28 scope global
>>>>> valid_lft forever preferred_lft forever
>>>>> inet6 2001:73:d3a8:8723:d572:7549:7f2c:e590/28 scope global
>>>>> valid_lft forever preferred_lft forever
>>>>> inet6 2001:75:a2e6:aad6:e901:dd1c:ba95:e300/28 scope global
>>>>> valid_lft forever preferred_lft forever
>>>>> inet6 fe80::9009:feff:fe11:811b/64 scope link
>>>>> valid_lft forever preferred_lft forever
>>>>>
>>>>> And then we have routes for the virtual addresses:
>>>>>
>>>>> root@...ong:~# ip -6 route
>>>>> 2001:72:e6d3:1cf3:e11d:5bb0:b99:e85e dev dummy0 metric 1024 expires
>>>>> 21334305sec mtu 1500 advmss 1440 metric 10 4294967295
>>>>> 2001:73:d3a8:8723:d572:7549:7f2c:e590 dev dummy0 metric 1024 expires
>>>>> 21334305sec mtu 1500 advmss 1440 metric 10 4294967295
>>>>> 2001:74:32e0:df36:e862:3963:523e:dd7d dev dummy0 metric 1024 expires
>>>>> 21334305sec mtu 1500 advmss 1440 metric 10 4294967295
>>>>> 2001:75:a2e6:aad6:e901:dd1c:ba95:e300 dev dummy0 metric 1024 expires
>>>>> 21334305sec mtu 1500 advmss 1440 metric 10 4294967295
>>>>> 2001:70::/28 dev dummy0 metric 256 expires 21334305sec mtu 1500 advmss
>>>>> 1440 metric 10 4294967295
>>>>> fe80::/64 dev dummy0 metric 256 expires 21334305sec mtu 1500 advmss
>>>>> 1440
>>>>> metric 10 4294967295
>>>>> ff00::/8 dev eth0 metric 256 expires 21325454sec mtu 1500 advmss 1440
>>>>> metric 10 4294967295
>>>>> ff00::/8 dev dummy0 metric 256 expires 21334305sec mtu 1500 advmss 1440
>>>>> metric 10 4294967295
>>>>> unreachable default dev lo proto none metric -1 error -101 metric 10
>>>>> 255
>>>>>
>>>>> ...and set-up policies and associations. The virtual IPv6 addresses
>>>>> are inner and IPv4 addresses are outer addresses:
>>>>>
>>>>> root@...ong:~/projects/hipl--userspace--2.6# ip xfrm policy show
>>>>> src 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15/128 dst
>>>>> 2001:74:32e0:df36:e862:3963:523e:dd7d/128
>>>>> dir in priority 0
>>>>> tmpl src c1a7:bb82:: dst c0a8:65::
>>>>> proto esp reqid 0 mode beet
>>>>> src 2001:74:32e0:df36:e862:3963:523e:dd7d/128 dst
>>>>> 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15/128
>>>>> dir out priority 0
>>>>> tmpl src c0a8:65:: dst c1a7:bb82::
>>>>> proto esp reqid 0 mode beet
>>>>>
>>>>> root@...ong:~/projects/hipl--userspace--2.6# ip xfrm state show
>>>>> src 193.167.187.130 dst 192.168.0.101
>>>>> proto esp spi 0xf556c7c7 reqid 0 mode beet
>>>>> replay-window 0
>>>>> auth sha1 0xab327b944011c94a0c54a097b4752e23f377ff34
>>>>> enc aes 0x882a334830b1cd14b9e411ec37a4242f
>>>>> encap type espinudp-nonike sport 50500 dport 50500
>>>>> addr 193.167.187.130
>>>>> sel src 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15/0
>>>>> dst 2001:74:32e0:df36:e862:3963:523e:dd7d/0
>>>>> src 192.168.0.101 dst 193.167.187.130
>>>>> proto esp spi 0x1663f3a4 reqid 0 mode beet
>>>>> replay-window 0
>>>>> auth sha1 0x9f07dabce4abf2ebfe45e247ede2cf15f9156a13
>>>>> enc aes 0xfc50593b9af6d296b042a16ca00bad20
>>>>> encap type espinudp-nonike
>>>>> sport 50500 dport 50500 addr 192.168.0.101
>>>>> sel src 2001:74:32e0:df36:e862:3963:523e:dd7d/0
>>>>> dst 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15/0
>>>>>
>>>>> And then we try to ping6 the virtual address:
>>>>>
>>>>> root@...ong:~/projects/hipl--userspace--2.6# ping6 -I
>>>>> 2001:0074:32e0:df36:e862:3963:523e:dd7d
>>>>> 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15
>>>>> PING
>>>>>
>>>> 2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15(2001:76:7d5a:88d7:51af:cdd1:6bf5:3d15)
>>>>> from 2001:74:32e0:df36:e862:3963:523e:dd7d : 56 data bytes
>>>>> ping: sendmsg: Network is unreachable
>>>>> ping: sendmsg: Network is unreachable
>>>>>
>>>>> Tcpdump shows no traffic at the host. We can repeat the problem both with
>>>>> tunnel and beet modes in 2.6.21-rc6 (and also in 2.6.17.14).
>>>>>
>>>>> I have tried also "ip rule stuff" but it seems that it does not rule with
>>>>> IPv6 :) It does help either to reduce the number of virtual addresses to
>>>>> a
>>>>> single one. It is weird that the ESP actually works some combinations of
>>>>> virtual addresses (4 of 16) in both directions, or works unidirectionally
>>>>> on some and does not work at all on the rest. I verified the
>>>>> unidirectional property using a simple UDP based application: sender
>>>>> xmits
>>>>> UDP packet, receiver gets it ok, but cannot respond. So, the problem is
>>>>> in
>>>>> the transmission of packets.
>>>>>
>>>>> I traced the ENETUNREACH in the kernel side to here:
>>>>>
>>>>> net/ipv4/route.c:ip_route_output_slow:
>>>>> if (fib_lookup(&fl, &res)) {
>>>>> ....
>>>>> if (dev_out)
>>>>> dev_put(dev_out);
>>>>> err = -ENETUNREACH;
>>>>>
>>>>> FIB lookup up is returning an error net/ipv4/fib_rules:
>>>>>
>>>>> int fib_lookup(const struct flowi *flp, struct fib_result *res)
>>>>> {
>>>>> ...
>>>>> hlist_for_each_entry_rcu(r, node, &fib_rules, hlist) {
>>>>> ...
>>>>> case RTN_UNREACHABLE:
>>>>> rcu_read_unlock();
>>>>> return -ENETUNREACH;
>>>>>
>>>>> I wonder if the problem is related to one that Yoshifugi has filed:
>>>>>
>>>>> http://bugzilla.kernel.org/show_bug.cgi?id=8349
>>>>>
>>>>> The bug does not usually occur with machines that in the same
>>>>> physical network, so I guess it is a routing problem. Any ideas or hints?
>>>>>
>>>>> Miika & Diego
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> -
>>>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>>>> the body of a message to majordomo@...r.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>>
>>>
>>>
>>> -
>>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>>> the body of a message to majordomo@...r.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> --
>> Kazunori Miyazawa
>>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists