From nobody@FreeBSD.org  Thu Apr 15 23:39:58 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6F7BE106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Apr 2010 23:39:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5FA108FC16
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Apr 2010 23:39:58 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o3FNdwZf019097
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Apr 2010 23:39:58 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o3FNdwCd019096;
	Thu, 15 Apr 2010 23:39:58 GMT
	(envelope-from nobody)
Message-Id: <201004152339.o3FNdwCd019096@www.freebsd.org>
Date: Thu, 15 Apr 2010 23:39:58 GMT
From: Peter Molnar <peter@molnar.cc>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Wrong UDP checksum not ignored as expected in UDP encapsuladed ESP packet
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         145737
>Category:       kern
>Synopsis:       [netinet] [patch] Wrong UDP checksum not ignored as expected in UDP encapsuladed ESP packet
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 15 23:50:01 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun May 18 05:01:19 UTC 2014
>Originator:     Peter Molnar
>Release:        RELENG_7_0_0_RELEASE
>Organization:
>Environment:
>Description:
Test setup:

A FreeBSD machine acts as VPN client (ESP-Transport, L2TP, NAT-T) to an OpenSWAN based VPN concentrator.

Problem description:

The L2TP (UDP) packets originating from the concentrator are rejected because of a wrong UDP checksum.

Detailed problem description:

[RFC 3948, 3.1.2] states: 

   When a transport mode has been used to transmit packets, contained
   TCP or UDP headers will have incorrect checksums due to the change of
   parts of the IP header during transit.  This procedure defines how to
   fix these checksums [...]

   Depending on local policy, one of the following MUST be done:

   [...]

   3.  If the protocol header after the ESP header is a UDP header, set
       the checksum field to zero in the UDP header. [...]
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index cbb13b6..bbe80f6 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -372,6 +372,25 @@ udp_input(struct mbuf *m, int off)
 	else
 		memset(&save_ip, 0, sizeof(save_ip));
 
+#ifdef IPSEC_NAT_T
+	/* 
+	 * RFC 3948
+	 * 
+	 * 3.1.2. Transport Mode Decapsulation NAT Procedure
+	 * 
+	 * Depending on local policy, one of the following MUST be done:
+	 * 
+	 * [...]
+	 * 
+	 * 3.  If the protocol header after the ESP header is a UDP header, set
+	 *     the checksum field to zero in the UDP header. [...]
+	 */
+	
+	if (m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL) != NULL) {
+		uh->uh_sum = 0;
+	}
+#endif
+
 	/*
 	 * Checksum extended UDP header and data.
 	 */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Apr 17 06:21:27 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145737 
Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sat Apr 17 15:47:48 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145737 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, peter@molnar.cc
Cc:  
Subject: Re: kern/145737: [netinet] [patch] Wrong UDP checksum not ignored
 as expected in UDP encapsuladed ESP packet
Date: Sat, 17 Apr 2010 15:56:51 +0000 (UTC)

 Hi,
 
 while this is the simplest solution there is a patch for review that
 is supposed to do proper cksum re-calculations by 3.1.2. 1. which I
 think would prefer.
 
 This is especially the case as the default of RFC2661 (L2TP) says that
 UDP checksums must be enabled. To my memory an application may disbale
 them for data messages but never for control messages;  thus you
 actually want proper checksum re-calculation when doing L2TP.
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:01:11 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145737 
>Unformatted:
