[strongSwan] IP reassembly bug with strongSwan?

[Daniel Mentz]

On 05/30/2011 05:21 AM, Daniel.Merget at rohde-schwarz.com wrote:
> for certain cases
> the responding virtual machine froze completely.
>

> the error occurs for fragmented packets only (in my case, the IKE_AUTH

Hi Daniel,

IP reassembly is done in the Linux kernel, not by user space processes. 
Also, even if there was a bug in strongSwan, only strongSwan should 
crash and not the whole machine since strongSwan runs as a daemon in 
user space.

If the Linux kernel had problems w/ IP reassembly, then this would be a 
severe bug since it would enable DoS attacks i.e. anybody on the 
Internet could bring down your system by sending these malicious IP packets.

Answers to the following questions might help people debugging this issue:

- With what version of the Linux kernel are you experiencing this issue? 
Did you try different versions?
- What virtualization platform are you using? KVM, ESXi, etc.
- Do you think it's possible that the virtualization infrastructure or 
some firewall is doing some kind of processing on the packet and that 
it's the virtualization platform that crashes.
- What do you mean by "the machine froze"? Do you have console access to 
the machine? Is it not responding at all or do you only lose network access?

-Daniel