Le 26.06.2018 17:52, Romain Gabet a écrit :
Hi,
I think there is a problem with ipcomp : packets are compressed even
in some cases where compression does not reduce their size ; as a
result they are rejected by the remote system.
Entire packet before compression (IPs are masked with ff) :
0000 02 00 00 00 00 00 c3 55 00 00 00 00 45 00 00 9a
0010 a4 06 40 00 40 04 00 00 ff ff ff ff ff ff ff ff
0020 45 00 00 86 27 3c 40 00 40 06 45 c7 ff ff ff ff
0030 ff ff ff ff a7 92 14 51 82 86 6c 4f db 5b 47 c5
0040 80 18 01 00 3e 12 00 00 01 01 08 0a 6f 25 8a ef
0050 00 03 46 64 7b 22 74 63 70 22 3a 74 72 75 65 2c
0060 22 6f 6d 69 74 22 3a 30 2c 22 74 69 6d 65 22 3a
0070 31 30 2c 22 70 61 72 61 6c 6c 65 6c 22 3a 31 2c
0080 22 6c 65 6e 22 3a 31 33 31 30 37 32 2c 22 63 6c
0090 69 65 6e 74 5f 76 65 72 73 69 6f 6e 22 3a 22 33
00a0 2e 31 2e 33 22 7d
Data offset 0x20, data length 134 bytes.
Packet after compression :
0000 02 00 00 00 c6 c1 76 91 00 0c 00 00 45 00 00 9c
0010 a4 06 40 00 40 6c 00 00 ff ff ff ff ff ff ff ff
0020 04 00 c3 55 73 65 60 68 53 b7 71 60 70 60 73 3d
0030 7e 60 05 e3 3f ae 13 0c 8c cb 27 89 04 36 b5 e5
0040 f8 df 8e 76 3f da 20 c1 c8 60 27 c4 c0 c0 c8 c8
0050 c1 95 af da f5 9e 81 d9 2d a5 5a a9 24 b9 40 c9
0060 aa a4 a8 34 55 47 29 3f 37 b3 44 c9 ca 40 47 a9
0070 24 33 37 55 c9 ca 10 c8 2a 48 2c 4a cc c9 49 cd
0080 01 f2 74 94 72 52 f3 80 b4 b1 a1 81 b9 91 8e 52
0090 72 4e 66 6a 5e 49 7c 59 6a 51 71 66 3e 50 5c c9
00a0 58 cf 50 cf 58 a9 16 00
Data offset 0x20, data length 136 bytes, it's superior to uncompressed.
I use OpenBSD 6.3 generic and linux + strongSwan 5.5.1 as remote
system, everythings works when ipcomp is disabled,
ipcomp only works when compressed packets size is inferior to
uncompressed.
Best regards.
Hello,
I think that I found the problem.
In "src/sys/netinet/ip_ipcomp.c" at line 590 :
if (rlen < crp->crp_olen) {
/* Compression was useless, we have lost time. */
crypto_freereq(crp);
if (ipsp_process_done(m, tdb))
ipcompstat_inc(ipcomps_outfail);
NET_UNLOCK();
return;
}
When sizes are checked, the size of IPCOMP header was forgotten and the
size must be smaller, in agreement with RFC.
(https://tools.ietf.org/html/rfc3173)
"2.2. Non-Expansion Policy
If the total size of a compressed payload and the IPComp header, as
defined in section 3, is not smaller than the size of the original
payload, the IP datagram MUST be sent in the original non-compressed
form."
I propose the following patch to correct the issue.
--- ip_ipcomp.c
+++ ip_ipcomp.c
@@ -587,7 +587,7 @@ ipcomp_output_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
/* Check sizes. */
- if (rlen < crp->crp_olen) {
+ if (rlen <= crp->crp_olen + IPCOMP_HLENGTH) {
/* Compression was useless, we have lost time. */
crypto_freereq(crp);
if (ipsp_process_done(m, tdb))
Best regards.
