From nobody@FreeBSD.org  Wed Mar  5 00:12:20 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D66A0106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Mar 2008 00:12:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id C63728FC24
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Mar 2008 00:12:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2509K0M059050
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 Mar 2008 00:09:20 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m2509KVj059049;
	Wed, 5 Mar 2008 00:09:20 GMT
	(envelope-from nobody)
Message-Id: <200803050009.m2509KVj059049@www.freebsd.org>
Date: Wed, 5 Mar 2008 00:09:20 GMT
From: Cyrus Rahman <crahman@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: New IPSEC & IPV6 & AH+ESP Broken
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         121373
>Category:       kern
>Synopsis:       [ipsec] New IPSEC & IPV6 & AH+ESP Broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 05 00:20:02 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:03:38 UTC 2014
>Originator:     Cyrus Rahman
>Release:        7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Tue Mar  4 16:27:33 MST 2008     cr@snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA  i386

>Description:
One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6.  Trying to will
produce the kernel printf:

 kernel: ip6_output (ipsec): error code 22

and no output from the interface.

The problem looks to be here, in ipsec_output.c, ipsec_process_done():

       /*
         * If there's another (bundled) SA to apply, do so.
         * Note that this puts a burden on the kernel stack size.
         * If this is a problem we'll need to introduce a queue
         * to set the packet on so we can unwind the stack before
         * doing further processing.
         */
        if (isr->next) {
                ipsec4stat.ips_out_bundlesa++;
                return ipsec4_process_packet(m, isr->next, 0, 0);
        }

So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet.  By the way, things work fine with ipv4.

>How-To-Repeat:
Set up an association between two ipv6 hosts that calls for esp+ah.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Mar 5 00:26:16 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 
Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sat Mar 8 23:06:45 UTC 2008 
Responsible-Changed-Why:  
Take this. Might take a few days before I can come up with a patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/121373: commit references a PR
Date: Fri, 14 Mar 2008 11:09:17 +0000 (UTC)

 bz          2008-03-14 11:09:11 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet6         ip6_output.c 
   Log:
   Replace the function name in two identical printfs
   by __func__, __LINE__ so we can distinguish them
   when people report a problem.
   
   PR:             121373
   MFC after:      5 days
   
   Revision  Changes    Path
   1.115     +4 -2      src/sys/netinet6/ip6_output.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: gavin 
State-Changed-When: Wed Jun 11 13:04:28 UTC 2008 
State-Changed-Why:  
This has been fixed in HEAD and RELENG_7 but is still awaiting MFC 
to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: gavin@FreeBSD.org
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/121373: [ipsec] New IPSEC & IPV6 & AH+ESP Broken
Date: Wed, 11 Jun 2008 13:14:58 +0000 (UTC)

 On Wed, 11 Jun 2008, gavin@FreeBSD.org wrote:
 
 > Synopsis: [ipsec] New IPSEC & IPV6 & AH+ESP Broken
 >
 > State-Changed-From-To: open->patched
 > State-Changed-By: gavin
 > State-Changed-When: Wed Jun 11 13:04:28 UTC 2008
 > State-Changed-Why:
 > This has been fixed in HEAD and RELENG_7 but is still awaiting MFC
 > to RELENG_6
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=121373
 
 What makes you think that it was? I cannot remember I had found the
 time for IPSec work lately (unfortunately).
 
 Could you please change it back to open?
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
State-Changed-From-To: patched->open 
State-Changed-By: gavin 
State-Changed-When: Wed Jun 11 13:37:25 UTC 2008 
State-Changed-Why:  
Back to open, on bz@ request - I misread the PR, this was never patched 

http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:03:13 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 
>Unformatted:
