From: Thomas Jarosch <thomas.jarosch@intra2net.com>
To: netdev@vger.kernel.org
Cc: Tom Herbert <therbert@google.com>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: [bisected] UDP / xfrm: NAT-T packets with bad UDP checksum get dropped
Date: Thu, 12 Sep 2019 17:13:53 +0200 [thread overview]
Message-ID: <20190912151353.2w7jakdrqljkfbsq@intra2net.com> (raw)
Hello together,
after updating many machines already from 3.14 to 4.19.67,
one site showed a non-working IPSec VPN connection with 4.19.x.
This IPSec connection is using UDP NAT traversal on port 4500.
The tunnel gets established fine, but no data flows.
Output of "ip xfrm state" looked sane.
The TRACE iptables firewall target showed the UDP packets
on port 4500 get accepted as expected. Still they didn't appear
in "ip xfrm monitor" and vanish somewhere in the kernel,
no error counter in /proc/net/xfrm_state increased at all.
After a few hours of bisecting with a test VM,
this commit was identified to cause the packet drop:
*******************
commit 0a80966b1043c3e2dc684140f155a3fded308660
Author: Tom Herbert <therbert@google.com>
Date: Wed May 7 16:52:39 2014 -0700
net: Verify UDP checksum before handoff to encap
Moving validation of UDP checksum to be done in UDP not encap layer.
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index f2d05d7be743..54ea0a3a48f1 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1495,6 +1495,10 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
int ret;
+ /* Verify checksum before giving to encap */
+ if (udp_lib_checksum_complete(skb))
+ goto csum_error;
+
ret = encap_rcv(sk, skb);
if (ret <= 0) {
UDP_INC_STATS_BH(sock_net(sk),
..
*******************
This commit is part of kernel 3.16. Reverting the commit
brings back the VPN connection using kernel 4.19.67.
I didn't spot the checksum error initially since wireshark and tcpdump
need to be explicitly told to verify checksums and there's a warning
about checksum offloading messing with it.
Further tracing showed the UDP packets leave the source
site with a zero UDP checksum and arrive, after passing
an unknown home router and a few other routers,
with a bogus UDP checksum on the destination side.
I've disabled rx and tx checksum offloading on the target test VM
and also on a router in between, but the packet dumps just
contain a fixed value as UDP checksum (f.e. 0x91c4).
RFC 3948 specifies how ESP packets should be encapsulated
using UDP for NAT traveral:
https://tools.ietf.org/html/rfc3948
*******************
2.1. UDP-Encapsulated ESP Header Format
the IPv4 UDP Checksum SHOULD be transmitted as a zero value, and
receivers MUST NOT depend on the UDP checksum being a zero value.
3.5. Tunnel Mode ESP Decapsulation
1. The UDP header is removed from the packet.
*******************
I'm wondering how the RFC should be interpreted here
regarding the UDP checksumming?
As far as I can tell it doesn't mention the UDP checksum
should be verified before decapsulation, the ESP packets
will provide proper data authentication anyway.
Cheers,
Thomas
next reply other threads:[~2019-09-12 15:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-12 15:13 Thomas Jarosch [this message]
2019-09-16 14:45 ` [bisected] UDP / xfrm: NAT-T packets with bad UDP checksum get dropped Thomas Jarosch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190912151353.2w7jakdrqljkfbsq@intra2net.com \
--to=thomas.jarosch@intra2net.com \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=therbert@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox