Hi, Can you share a packet trace? I'd expect the packet to go through ip4-lookup (where ip.fib_index is set) before ip4-local, not going directly from ip4-input to ip4-local.
Best ben > -----Original Message----- > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Mahdi > Varasteh > Sent: lundi 7 février 2022 06:51 > To: vpp-dev@lists.fd.io > Subject: [vpp-dev] IGMP over an IPSec protected tunnel > > Hi VPP folks, > > Recently I ran into a problem: receiving IGMP packets over a GRE tunnel > protected by IPSec in transport mode, sometimes causes a VPP crash. > The crash happens in ip4-local node. Using debug image, i realized the > problem was caused by an invalid fib index passed to fib_get() function. > Digging down the code, I found the root cause of this problem: buffer's > opaque. > IGMP packets have a Router Alert option in IP header. This causes the > packets to directly goes from ip4-input node to ip4-local node and this is > all right. But IGMP packets that are encrypted, first have to be > decrypted. During this process, their buffer's opaque changes and > ipsec.sad_index is set. Then the packet is passed to ip4-input then ip4- > local and there, ip.fib_index from buffer's opaque is used; But the > ipsec.sad_index and ip.fib_index are the same in opaque struct. This is > the reason of invalid fib index. > > What is the best way to prevent the crashes and fix the behavior of IPSec > decryption? which part of the code should be changed?
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20836): https://lists.fd.io/g/vpp-dev/message/20836 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
