[strongSwan] IP reassembly bug with strongSwan?

Daniel.Merget at rohde-schwarz.com Daniel.Merget at rohde-schwarz.com
Mon May 30 14:21:36 CEST 2011 

Hi

I am using strongSwan 4.5.1 on two virtual machines running Linux kernel 
2.6

For performance tests of the IPsec protocol over an error-prone channel, I 
am injecting
bit errors at predefined rates into the packets. However I noticed that 
for certain cases
the responding virtual machine froze completely.

After a lot of debugging using wireshark and some other tools, I was able 
to find out that
the error occurs for fragmented packets only (in my case, the IKE_AUTH 
request
from the initiator gets fragmented into 2 fragments).

More precisely, the affected field is the ip_total_length field of the 
second fragment.
I found out, that when the resulting ip_total_length value is smaller than 
the originally
generated value, the machine crashes after a few more message exchanges 
(surprisingly
 it does not crash instantly).

WhenI tried to reproduce the error, I also found out that the error only 
occurs, if there are
also error-free fragments sent once in a while (e.g. 50% chance to corrupt 
ip_total_length).
I assume that when reassembling the ip packets, strongSwan somehow gets 
confused
when mixing both error-prone and error-free packets and subsequently 
crashes the whole
system.

My setup works completely fine except for this special case where (in a 
fragmented packet)
the ip_total_length field is modified so that the result is less than the 
original.

I also had a look at the strongSwan source to find a cause for this. 
However, I came to the
conclusion that reassembly is done by the Linux kernel by calling 

        select(max_fd + 1, &rfds, NULL, NULL, NULL)

in socket_default_socket.c

I am not very familiar with socket programming, so this might be a 
misinterpretation by me
because I failed to recreate the error for other applications than 
strongSwan. But that is
probably no evidence that the problem rises from strongSwan...

Although this is probably a very special and individual issue, I hope that 
someone can
give me some thoughts or advice on the topic. Maybe there is a piece of 
souce code I
should review to debug the problem? Is it actually a strongSwan issue or 
rather a kernel
bug?

I would appreciate any help!


Regards,
Daniel Merget
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110530/c4163bcc/attachment.html>

More information about the Users mailing list