#2 IPComp fixes

closed
nobody
None
5
2005-05-13
2003-11-05
Anonymous
No

In testing racoon, I found that when it sends an
SADB_ADD message to the kernel for IPComp, the replay
window size is set to 4. This causes the kernel to
reject any inbound IPComp packets. This patch makes
sure the replay window size is set to 0 for IPComp, to
prevent this from happening.

Also, racoon needs to specify the min and max CPI for
IPComp, so that the kernel does not allocate one that
is 4 bytes instead of 2 bytes. Currently, the Linux
kernel does not make sure to only use 2 bytes for CPIs.
This can also cause packets to be dropped by the
kernel, due to the CPI in the packet not matching the
one the kernel has. This fix also ensures that the min
and max CPI are set for IPComp so that the kernel
chooses one that is in the correct range.

These patches are against ipsec-tools-0.2.2. They have
been tested with the 2.6.0-test4 kernel. I have not
seen any changes to the handling of IPComp by the
kernel in any of the latest 2.6.0-test releases, so the
fix should work on later kernels as well.

If there are any questions regarding this patch, please
contact me.

Brian Buesker
Engineer
QUALCOMM
5775 Morehouse Dr.
San Diego, CA 92121

Email: bbuesker@qualcomm.com
Phone: 858-658-2918

Discussion

  • Patch to fix IPComp CPI size and replay window size

     
    Attachments
  • alan johnson
    alan johnson
    2004-11-19

    Logged In: YES
    user_id=943591

    kernel is 2.6.0

     
  • Logged In: NO

    It looks like this patch is in ipsec-tools. I reviewed the
    source in 0.5, and the fixes from this patch are in there.

     
  • Aidas Kasparas
    Aidas Kasparas
    2005-05-13

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.