Matthew Grooms wrote:
All,
With fast ipsec compiled into the kernel, I can see the outbound esp
transport SAD entry increase the current byte count but the ipcomp entry
shows nothing to indicate its use. It seems strange that the kernel will
send acquire messages via PF_KEY as a pre-requisite to performing the
required security processing but doesn't use them once they are added by
the key daemon.
So, I tracked down the problem I was seeing to here ...
/usr/src/sys/netinet6/ipcomp_output.c:145
/* grab parameters */
algo = ipcomp_algorithm_lookup(sav->alg_enc);
if ((ntohl(sav->spi) & ~0xffff) != 0 || !algo) {
stat->out_inval++;
m_freem(m);
return EINVAL;
}
... The SPI which gets interpreted as the CPI had a value larger than
0xffff. If IPCOMP will always fail with an CPI that isn't contained
within 16 bits, should this be treated as an error condition when the
key daemon attempts to add the SAD entry? Then there would be error
feedback as opposed to silently dropping the packet in the outbound path.
Thanks,
-Matthew
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
