lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jun 2014 21:21:19 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: Evan Gilman <evan@...erduty.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: Sporadic ESP payload corruption when using IPSec in NAT-T Transport Mode On Mon, Jun 30, 2014 at 01:33:24PM +0200, Steffen Klassert wrote: > Ccing netdev. > > On Thu, Jun 26, 2014 at 02:12:30PM -0700, Evan Gilman wrote: > > Hi all > > We have a couple Ubuntu 10.04 hosts with kernel version 3.14.5 which are > > experiencing TCP payload corruption when using IPSec in NAT-T transport > > mode. All are running under Xen at third party providers. When > > communicating with other hosts using IPSec, we see that these corrupt TCP > > PDUs are still being received by the remote listener, even though the TCP > > checksum is invalid. > > All other checksums (IPSec authentication header and IP checksum) are > > good. So, we are thinking that corruption is happening during the ESP > > encapsulation and decapsulation phase (IPSec required for reproduction). > > The corruption occurs sporadically, and we have not found any one > > payload/packet combination that will reliably trigger it, though we can > > typically reproduce it in less than 30 minutes. We can do it very simply > > by reading from /dev/zero with dd and piping through netcat. It occurs > > whenever a 3.14.5 kernel is involved at either end of the conversation. I > > can send captures to those who are interested. Does any of this sound > > familiar? > > I can't remember anyone reporting such problems, but maybe someone > else does. I have seen one report where a Xen guest experienced IPsec corruption when using aesni-intel. However, in that case the corruption was at the authentication level. Are you using aesni-intel by any chance? Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists