[vpp-dev] IGMP over an IPSec protected tunnel
Hi VPP folks, Recently I ran into a problem: receiving IGMP packets over a GRE tunnel protected by IPSec in transport mode, sometimes causes a VPP crash. The crash happens in `ip4-local` node. Using debug image, i realized the problem was caused by an invalid fib index passed to `fib_get()` function. Digging down the code, I found the root cause of this problem: buffer's opaque. IGMP packets have a Router Alert option in IP header. This causes the packets to directly goes from `ip4-input` node to `ip4-local` node and this is all right. But IGMP packets that are encrypted, first have to be decrypted. During this process, their buffer's opaque changes and `ipsec.sad_index` is set. Then the packet is passed to `ip4-input` then `ip4-local` and there, `ip.fib_index` from buffer's opaque is used; But the `ipsec.sad_index` and `ip.fib_index` are the same in opaque struct. This is the reason of invalid fib index. What is the best way to prevent the crashes and fix the behavior of IPSec decryption? which part of the code should be changed? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20834): https://lists.fd.io/g/vpp-dev/message/20834 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] IGMP over an IPSec protected tunnel
Hi Benoit, Because of VPP's crash, I'm afraid i can't capture the pcap. But I'll share with you a packet trace of a normal interface with an IGMP packet. Normally yes, the packet goes through `ip4-lookup`, but here the path is: `ip4_input_inline`-> `ip4_input_check_x2`->`check_ver_opt_csum`. and since it has a Router Alert option, it goes to `ip4-options` then from there it goes to `ip4-local`. In this attached pcap, `sootap-tx` is my plugin node that is registered to get IGMP packets. igmp.pcap Description: application/vnd.tcpdump.pcap -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20837): https://lists.fd.io/g/vpp-dev/message/20837 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] IGMP over an IPSec protected tunnel
Hi, Can you share a packet trace? I'd expect the packet to go through ip4-lookup (where ip.fib_index is set) before ip4-local, not going directly from ip4-input to ip4-local. Best ben > -Original Message- > From: vpp-dev@lists.fd.io On Behalf Of Mahdi > Varasteh > Sent: lundi 7 février 2022 06:51 > To: vpp-dev@lists.fd.io > Subject: [vpp-dev] IGMP over an IPSec protected tunnel > > Hi VPP folks, > > Recently I ran into a problem: receiving IGMP packets over a GRE tunnel > protected by IPSec in transport mode, sometimes causes a VPP crash. > The crash happens in ip4-local node. Using debug image, i realized the > problem was caused by an invalid fib index passed to fib_get() function. > Digging down the code, I found the root cause of this problem: buffer's > opaque. > IGMP packets have a Router Alert option in IP header. This causes the > packets to directly goes from ip4-input node to ip4-local node and this is > all right. But IGMP packets that are encrypted, first have to be > decrypted. During this process, their buffer's opaque changes and > ipsec.sad_index is set. Then the packet is passed to ip4-input then ip4- > local and there, ip.fib_index from buffer's opaque is used; But the > ipsec.sad_index and ip.fib_index are the same in opaque struct. This is > the reason of invalid fib index. > > What is the best way to prevent the crashes and fix the behavior of IPSec > decryption? which part of the code should be changed? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20836): https://lists.fd.io/g/vpp-dev/message/20836 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] IGMP over an IPSec protected tunnel
Thanks that makes sense... I think we should set fib_index correctly before going to ip4-local in that case. Can you check if the problem is fixed with https://gerrit.fd.io/r/c/vpp/+/35232 ? Ben > -Original Message- > From: vpp-dev@lists.fd.io On Behalf Of Mahdi > Varasteh > Sent: lundi 7 février 2022 13:12 > To: vpp-dev@lists.fd.io > Subject: [vpp-dev] IGMP over an IPSec protected tunnel > > Hi Benoit, > > Because of VPP's crash, I'm afraid i can't capture the pcap. But I'll > share with you a packet trace of a normal interface with an IGMP packet. > Normally yes, the packet goes through ip4-lookup, but here the path is: > ip4_input_inline-> ip4_input_check_x2->check_ver_opt_csum. and since it > has a Router Alert option, it goes to ip4-options then from there it goes > to ip4-local. > > In this attached pcap, sootap-tx is my plugin node that is registered to > get IGMP packets. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20839): https://lists.fd.io/g/vpp-dev/message/20839 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] IGMP over an IPSec protected tunnel
Thanks Benoit. This patch solved the problem. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20846): https://lists.fd.io/g/vpp-dev/message/20846 Mute This Topic: https://lists.fd.io/mt/88966349/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
