Article 1010 at 08/12/03 12:41:01 From: akisada@tahi.org Subject: [users:01010] Re: [ipsec]could you help me explain where problem is for aes-ctr of ESP

Index: [Article Count Order] [Thread]
Date: Wed, 3 Dec 2008 12:40:46 +0900
From: Yukiyo Akisada <akisada@tahi.org>
Subject: [users:01010] Re: [ipsec]could you help me explain where problem is for aes-ctr of ESP
To: users@tahi.org
Cc: wang_jiabo <jiabwang@redhat.com>
Message-Id: <20081203124046.cf755939.akisada@tahi.org>
In-Reply-To: <49335BCE.3080505@redhat.com>
References: <49335BCE.3080505@redhat.com>
X-Mail-Count: 01010

Wang,

AES-CTR on FreeBSD has a bug.
I found it when FreeBSD was 6.1-RELEASE.

Because KAME also had the same problem,
I reported it to KAME project.

KAME finally decide to remove AES-CTR from their code,
but FreeBSD contiues to use AES-CTR.

The problem is that FreeBSD is required 16-bytes allignment,
but RFC required only 4 bytes allignment.

In order to know the detail,
please find the thread started from (KAME-snap 9501)
at <http://orange.kame.net/snap-users/mail-list.cgi>.

Thanks,


On Mon, 01 Dec 2008 11:36:46 +0800
wang_jiabo <jiabwang@redhat.com> wrote:

> Hello, all:
> following is my setkey configration. I can get SAD and SPD. but when I 
> run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD
> FreeBSD report:  kernel: esp_aesctr_decrypt aes-ctr:payload length must 
> be multiple of 16
>                              kernel: decrypt fail in IPv6 ESP input : 
> SA(SPI 8192 src=3ffe:0501:ffff:0103:020a:ebff:fe85:9e56  
> dst=3ffe:0501:ffff:0104:021d:0fff:fe19:59fc)
> but when I  use "ping6  -I rl0  -s 4(or 6 or 20)  
> 3ffe:501:ffff:103:20a:ebff:fe85:9e56"
>  that the report  disappear. I read RFC, did not find the explain. could 
> you give me a explain?
> Thanks
> 
> 
> 
> on RedHat (ipsec-tools 0.6.5)
> #!/sbin/setkey -f
> flush;
> spdflush;
> add 3ffe:501:ffff:104:21d:fff:fe19:59fc 
> 3ffe:501:ffff:103:20a:ebff:fe85:9e56 esp 0x1000 -m transport -E aes-ctr 
> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>  spdadd 3ffe:501:ffff:104:21d:fff:fe19:59fc 
> 3ffe:501:ffff:103:20a:ebff:fe85:9e56 any -P in ipsec 
> esp/transport//require;
>  add 3ffe:501:ffff:103:20a:ebff:fe85:9e56  
> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E aes-ctr 
> "ipv6readylogoaes1to2" -A hmac-sha1 "ipv6readylogsha11to2";
>  spdadd 3ffe:501:ffff:103:20a:ebff:fe85:9e56  
> 3ffe:501:ffff:104:21d:fff:fe19:59fc any -P out ipsec 
> esp/transport//require;
>                       
> on FreeBSD6.3(ipsec-tools 0.7, using 0.6.6, problem keep still )
> flush;
> spdflush;
> add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E aes-ctr 
> "ipv6readylogoaes1to2" -A hmac-sha1 "ipv6readylogsha11to2";
> spdadd 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
> 3ffe:501:ffff:104:21d:fff:fe19:59fc any -P in ipsec esp/transport//require;
> add 3ffe:501:ffff:104:21d:fff:fe19:59fc 
> 3ffe:501:ffff:103:20a:ebff:fe85:9e56 esp 0x1000 -m transport -E aes-ctr 
> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
> spdadd 3ffe:501:ffff:104:21d:fff:fe19:59fc 
> 3ffe:501:ffff:103:20a:ebff:fe85:9e56 any -P out ipsec 
> esp/transport//require;
> 
> 
> 


-- 
Yukiyo Akisada <akisada@tahi.org>