lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 30 Jun 2014 21:21:19 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	Steffen Klassert <steffen.klassert@...unet.com>
Cc:	Evan Gilman <evan@...erduty.com>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: Sporadic ESP payload corruption when using IPSec in NAT-T
 Transport Mode

On Mon, Jun 30, 2014 at 01:33:24PM +0200, Steffen Klassert wrote:
> Ccing netdev.
> 
> On Thu, Jun 26, 2014 at 02:12:30PM -0700, Evan Gilman wrote:
> >    Hi all
> >    We have a couple Ubuntu 10.04 hosts with kernel version 3.14.5 which are
> >    experiencing TCP payload corruption when using IPSec in NAT-T transport
> >    mode. All are running under Xen at third party providers. When
> >    communicating with other hosts using IPSec, we see that these corrupt TCP
> >    PDUs are still being received by the remote listener, even though the TCP
> >    checksum is invalid.
> >    All other checksums (IPSec authentication header and IP checksum) are
> >    good. So, we are thinking that corruption is happening during the ESP
> >    encapsulation and decapsulation phase (IPSec required for reproduction).
> >    The corruption occurs sporadically, and we have not found any one
> >    payload/packet combination that will reliably trigger it, though we can
> >    typically reproduce it in less than 30 minutes. We can do it very simply
> >    by reading from /dev/zero with dd and piping through netcat. It occurs
> >    whenever a 3.14.5 kernel is involved at either end of the conversation. I
> >    can send captures to those who are interested. Does any of this sound
> >    familiar?
> 
> I can't remember anyone reporting such problems, but maybe someone
> else does.

I have seen one report where a Xen guest experienced IPsec corruption
when using aesni-intel.  However, in that case the corruption was at
the authentication level.  Are you using aesni-intel by any chance?

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists