IPsec related issue.

2007-05-13 Thread zion 
Greetings all,
I'm trying to implement an IPsec tunnel from my LAN to a dedicated box.
I've met with a common issue where some TCP packets cannot be fragmented
due to a DF flag is set, and the packet is unable to pass through a
tunnel. In that case an informing icmp packet is sent to the
destination; the problem is that some sites block such packets. In the
result, tcp session stalls. Some details about my setup: OpenBSD 4.1
WRAP box with a kernel PPPoE connection doing NAT. The remote box is a
OpenBSD 4.0 machine with a vr(4) nic in some datacenter. My ipsec.conf
is very simple and uses sane, secure defaults:

local ipsec.conf:
ike dynamic esp from { 10.10.10.0/29, pppoe } to any peer xx.xx.xx.xx
srcid fw.xx.com
flow esp from { 10.10.10.0/29, 10.10.11.0/28 } to { 10.10.10.0/29,
10.10.11.0/28 } type bypass

remote ipsec.conf:
ike passive esp from any to any srcid vpngw.x96.org

So, some TCP sessions still stall. I've tried multiple combinations of
scrub directive; had to decrease max-mss and such, still would see
stalling tcp sessions. So I came up with a test that would check the
maximum size of a packet that can pass through a tunnel using ping's -s
to set a size of a payload of icmp echo request packet. The test has
shown that the maximum payload is 1330 bytes (-s 1331 would not go
through). Add 8B ICMP header, 20B IP header make it 1358B total. Since
regularly TCP header is 12 bytes larger than an ICMP header, It looks
like I'd have to set a max-mss to 1318 for most tcp sessions to work
fine. Then I tried the same test without the tunnel and got a result of
1464B icmp payload. The conclusion is that there is a 134 bytes overhead
for IPsec tunnel, that includes a 20B new IP header, 8B ESP header and
who knows how large an optional ESP trailer. The only assumption I make
for this test to work is that icmp echo request packet is not
fragmented. Correct me if I'm wrong please. I should probably try out
scapy to create a DF tcp packet using similar logic to test the max size
to get more assuring results. Anyway,  it seems that this overhead is
quite large, ~10% of the largest packet. Anyone could comment on this?
I would appreciate any comments or suggestions on how to improve this
setup. My current scrub directive on remote box is:
scrub on $ext_if no-df max-mss 1318

Like I said, some TCP sessions still stall, could that be caused by a
rare enlarged TCP packet with Options field being set? ;-)

Sony laptop sound problems with auich0 and openbsd 3.9, 4.0, 4.1-beta.

2007-02-18 Thread zion 
Hello list,

Having serious problems with Sony PCG-V505EX laptop.
Basically, sound doesn't work unless there is some activity (traffic) on
fxp0 or iwi0 interfaces. Even if there is some traffic, sound grinds to
a halt after few seconds. It doesn't matter what source sound is coming
from: cd, dvd, mp3, ogg.

First thing that comes to my mind is IRQ issue. there are 5 devices
using the same irq 9 by looking at dmesg. BIOS settings are really
limited on this laptop.

Same exact problem occurs when using 3.9 4.0 releases, with of course
GENERIC kernel.

Any help is greatly appreciated.


DMESG:
OpenBSD 4.1-beta (GENERIC) #3: Sun Feb 18 11:08:26 PST 2007
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Pentium(R) M processor 1500MHz ("GenuineIntel"
686-class) 1.49 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2
real mem  = 535851008 (523292K)
avail mem = 480706560 (469440K)
using 4256 buffers containing 26914816 bytes (26284K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 11/21/03, BIOS32 rev. 0 @ 0xfd751,
SMBIOS rev. 2.3 @ 0xd8010 (17 entries)
bios0: Sony Corporation PCG-V505EX(UC)
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd750/0x8b0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x1 0xd8000/0x4000! 0xdc000/0x4000!
acpi at mainbus0 not configured
cpu0 at mainbus0
cpu0: Enhanced SpeedStep 1500 MHz (1484 mV): speeds: 1500, 1400, 1200,
1000, 800, 600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PE Hub" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82855PE AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility 9200" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x03: irq 9
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x03: irq 9
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev
0x03pci_intr_map: no mapping for pin C
: couldn't map interrupt
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev
0x03pci_intr_map: no mapping for pin D
: couldn't map interrupt
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x83
pci2 at ppb1 bus 2
cbb0 at pci2 dev 5 function 0 "Ricoh 5C475 CardBus" rev 0xb8: irq 3
"Ricoh 5C551 Firewire" rev 0x00 at pci2 dev 5 function 1 not configured
fxp0 at pci2 dev 8 function 0 "Intel PRO/100 VE" rev 0x83, i82562: irq
9, address 08:00:46:cd:ab:1c
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
iwi0 at pci2 dev 11 function 0 "Intel PRO/Wireless 2200BG" rev 0x05: irq
9, address 00:0e:35:0d:38:65
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0x40
pcmcia0 at cardslot0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x03
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x03: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
16-sector PIO, LBA48, 57231MB, 117210240 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev
0x03pci_intr_map: no mapping for pin B
: polling
iic0 at ichiic0
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x03: irq 9,
ICH4 AC97
ac97: codec id 0x594d4803 (Yamaha YMF753-S)
ac97: codec features 18 bit DAC, No 3D Stereo
audio0 at auich0
"Intel 82801DB Modem" rev 0x03 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask effd netmask effd ttymask 
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

# audioctl -a
name=ICH4 AC97
version=0x03
config=auich0
encodings=ulinear:8,mulaw:8*,alaw:8*,slinear:8*,sli