Bug 441714
| Summary: | Racoon fails to create loopback SAs using existing SPD configuration | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Paul Moore <paul.moore> | ||||||||
| Component: | ipsec-tools | Assignee: | Tomas Mraz <tmraz> | ||||||||
| Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 5.3 | CC: | adaora.onyia, bzeranski, cward, herbert.xu, herrold, iboverma, joe, jon.wallace, latten, linda.knippers, ltcgcw, rick.hester, riek, sgrubb, tao, tmraz | ||||||||
| Target Milestone: | rc | Keywords: | OtherQA, Regression | ||||||||
| Target Release: | 5.5 | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2010-02-16 15:31:59 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 499522, 533192 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Paul Moore
2008-04-09 16:43:30 UTC
Created attachment 301847 [details]
Racoon configuration [/etc/racoon/racoon.conf]
Created attachment 301848 [details]
SPD entries [setkey -f setkey.loopback]
I will try and take a look at this during the weekend or Monday. I can confirm the loopback ipsec failures on RH5.2. We are also seeing very serious loopback/local IP SA creation issues on rawhide. Some loopback/local IP SA creations are fast, some take minutes. The machine is idle during the wait, so it looks like some sort of race condition. Created attachment 303871 [details]
Working racoon.conf for rawhide
The attached racoon.conf works in rawhide. 192.168.20.101 is the IP address of
eth0. If hmac_sha1 is changed to non_auth in the two ip specific sainfo
clauses, no associations form. Loopback SA creation performance is poor.
The configuration above generates 2 SAs for each unique type/context. One is unused (by byte count). Joe, what version of ipsec-tools do you have when it works? The version of ipsec-tools in rhel5u2 appears to the be same version we included in our evaluation (updated from rhel5) so now I'm confused about what's different. Have you been using the rhel5 version (0.6.5-6) or the one we evaluated (0.6.5-8)? I tried this in RHEL5.2 snap6, IBM LSPP config and it worked ok with Paul's ipsec config files. The version of racoon is ipsec-tools-0.6.5-9.el5. Paul, I am investigating the error message you got... according to the code, the kernel failed to update the SA and sent an ENOENT... but I am baffled as to where the ENOENT came from when doing an update so I need to look some more at kernel code. I think the racoon code is the same from when I first added the change for LSPP. I had hard-coded the attributes since it was a late patch and wanted to clean it up but just never got the time. Joe, were you seeing the same problems in RHEL5.0? This is odd since the userspace code should be exactly the same... Joy, I'm puzzled by that too. Is there any difference in the kernel code? Sounds like the attributes are still hard-coded in the user-space code? I haven't looked at the latest snap but snap3 has 0.6.5-8 so what's new in -9? RHEL5.0 and 5.1 were fine. This is from a 5.1 VM:
[root@laptop ~]# !setk
setkey -D | grep context:
security context: system_u:system_r:jcdx_qp_t:s0-s15:c0.c1023
security context: system_u:system_r:inetd_t:s0-s15:c0.c1023
security context: system_u:system_r:jcdx_qc_t:s15:c0.c1023
security context: system_u:system_r:jcdx_qm_t:s0-s15:c0.c1023
security context: system_u:system_r:jcdx_qs_t:s0-s15:c0.c1023
security context: system_u:system_r:jcdx_qalertd_t:s15:c0.c1023
security context: system_u:system_r:jcdx_ebee_t:s5:c0.c511
security context: system_u:system_r:jcdx_ebe_t:s5:c0.c511
security context: system_u:system_r:jcdx_procmon_db_t:s15:c0.c1023
security context: system_u:system_r:jcdx_cen_mon_t:s15:c0.c1023
security context: system_u:system_r:jcdx_procmon_alerts_t:s15:c0.c1023
security context: system_u:system_r:jcdx_qm_t:s15:c0.c1023
security context: system_u:system_r:jcdx_uniquenum_t:s5:c0.c511
security context: system_u:system_r:jcdx_hta_t:s5:c0.c511
security context: system_u:system_r:jcdx_dirchan_t:s5:c0.c511
security context: system_u:system_r:jcdx_jetsindex_t:s5:c0.c511
security context: system_u:system_r:jcdx_ped_t:s0-s5:c0.c511
security context: system_u:system_r:jcdx_imf_t:s5:c0.c511
security context: system_u:system_r:jcdx_ocm_t:s5:c0.c511
security context: system_u:system_r:jcdx_olog_t:s5:c0.c511
security context: system_u:system_r:jcdx_qp_t:s15:c0.c1023
security context: system_u:system_r:jcdx_icm_t:s5:c0.c511
security context: system_u:system_r:jcdx_ilog_t:s5:c0.c511
security context: system_u:system_r:inetd_t:s15:c0.c1023
security context: system_u:system_r:jcdx_qs_t:s15:c0.c1023
security context: system_u:system_r:jcdx_tagd_t:s5:c0.c511
security context: system_u:system_r:jcdx_tdbm_t:s5:c0.c511
security context: system_u:system_r:jcdx_tagd_t:s0-s5:c0.c511
security context: system_u:object_r:jcdx_mtdb_t:s0-s5:c0.c511
security context: system_u:system_r:jcdx_tdbm_t:s5:c0.c511
security context: system_u:system_r:ntpd_t:s0-s15:c0.c1023
security context: system_u:system_r:sshd_t:s0-s15:c0.c1023
[root@laptop ~]# setkey -D | grep context: | wc -l
32
[root@laptop ~]# rpm -q ipsec-tools
ipsec-tools-0.6.5-8.el5
[root@laptop ~]# rpm -q kernel
Note the 1 SA per type/level.
rpm -q kernel for above kernel-2.6.18-53.1.14.el5 [root@xw4100 ~]# more /etc/redhat-release
Red Hat Enterprise Linux Client release 5.2 Beta (Tikanga)
[root@xw4100 ~]# setkey -D
127.0.0.1 127.0.0.1
esp mode=transport spi=66680689(0x03f97771) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Apr 28 18:35:13 2008 current: Apr 28 18:35:35 2008
diff: 22(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
security context doi: 1
security context algorithm: 1
security context length: 49
security context: system_u:system_r:jcdx_talertd_t:s0-s15:c0.c1023
sadb_seq=0 pid=11517 refcnt=0
[root@xw4100 ~]# rpm -q ipsec-tools
ipsec-tools-0.6.5-8.el5
[root@xw4100 ~]# rpm -q kernel
kernel-2.6.18-84.el5
This seems like a regression in kernel as evident from comments #15, #16, and #17. The difference between RHEL-5 ipsec-tools version and current Fedora (rawhide) is that the loopback patch in current RHEL-5 ipsec-tools automatically creates the loopback SAs without the full ISAKMP negotiation. The rawhide patch just allows to complete the regular negotiation of the racoon with itself. But I wouldn't be surprised that the rawhide approach is racy. Have you been able to duplicate the problem? I am trying to reproduce the problem just now and unfortunately I was not able to reproduce it on the RHEL-5.2 kernel: Linux 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:15 EDT 2008 I will port the loopback patch from RHEL-5 to rawhide ipsec-tools version to try it there. Updating PM score. Reporter, are you still able to reproduce the problem with 5.3 kernel & ipsec-tools versions? Not immediately. I'll have to build a RH5.3 system. We've been using Fedora 10 lately. Unfortunately I was not able to reproduce the problem and I do not have enough necessary information to do so and fix the bug. |