lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 30 Jun 2014 21:21:19 +0800
From:	Herbert Xu <>
To:	Steffen Klassert <>
Cc:	Evan Gilman <>,,
Subject: Re: Sporadic ESP payload corruption when using IPSec in NAT-T
 Transport Mode

On Mon, Jun 30, 2014 at 01:33:24PM +0200, Steffen Klassert wrote:
> Ccing netdev.
> On Thu, Jun 26, 2014 at 02:12:30PM -0700, Evan Gilman wrote:
> >    Hi all
> >    We have a couple Ubuntu 10.04 hosts with kernel version 3.14.5 which are
> >    experiencing TCP payload corruption when using IPSec in NAT-T transport
> >    mode. All are running under Xen at third party providers. When
> >    communicating with other hosts using IPSec, we see that these corrupt TCP
> >    PDUs are still being received by the remote listener, even though the TCP
> >    checksum is invalid.
> >    All other checksums (IPSec authentication header and IP checksum) are
> >    good. So, we are thinking that corruption is happening during the ESP
> >    encapsulation and decapsulation phase (IPSec required for reproduction).
> >    The corruption occurs sporadically, and we have not found any one
> >    payload/packet combination that will reliably trigger it, though we can
> >    typically reproduce it in less than 30 minutes. We can do it very simply
> >    by reading from /dev/zero with dd and piping through netcat. It occurs
> >    whenever a 3.14.5 kernel is involved at either end of the conversation. I
> >    can send captures to those who are interested. Does any of this sound
> >    familiar?
> I can't remember anyone reporting such problems, but maybe someone
> else does.

I have seen one report where a Xen guest experienced IPsec corruption
when using aesni-intel.  However, in that case the corruption was at
the authentication level.  Are you using aesni-intel by any chance?

Email: Herbert Xu <>
Home Page:
PGP Key:
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists