[strongSwan] IP reassembly bug with strongSwan?
danielml+mailinglists.strongswan at sent.com
Tue May 31 06:53:44 CEST 2011
On 05/30/2011 05:21 AM, Daniel.Merget at rohde-schwarz.com wrote:
> for certain cases
> the responding virtual machine froze completely.
> the error occurs for fragmented packets only (in my case, the IKE_AUTH
IP reassembly is done in the Linux kernel, not by user space processes.
Also, even if there was a bug in strongSwan, only strongSwan should
crash and not the whole machine since strongSwan runs as a daemon in
If the Linux kernel had problems w/ IP reassembly, then this would be a
severe bug since it would enable DoS attacks i.e. anybody on the
Internet could bring down your system by sending these malicious IP packets.
Answers to the following questions might help people debugging this issue:
- With what version of the Linux kernel are you experiencing this issue?
Did you try different versions?
- What virtualization platform are you using? KVM, ESXi, etc.
- Do you think it's possible that the virtualization infrastructure or
some firewall is doing some kind of processing on the packet and that
it's the virtualization platform that crashes.
- What do you mean by "the machine froze"? Do you have console access to
the machine? Is it not responding at all or do you only lose network access?
More information about the Users