Bug 363511 - TAHI--IPSECv6--When having IPsecv6 tests, TN received echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT)
TAHI--IPSECv6--When having IPsecv6 tests, TN received echo request from HOST-...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
5.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks: 253764
  Show dependency treegraph
 
Reported: 2007-11-02 04:57 EDT by Zhiyong Wu
Modified: 2009-06-15 07:48 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-31 07:08:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
the test result about ipsec Discard, ESP=3DES-CBC HMAC-SHA1, (38.53 KB, text/html)
2008-05-06 05:43 EDT, shangyanfeng
no flags Details
ps format result (353.97 KB, application/octet-stream)
2008-05-08 00:55 EDT, shangyanfeng
no flags Details

  None (edit)
Description Zhiyong Wu 2007-11-02 04:57:12 EDT
Description of problem:

  When having ipsecv6 tests for the software gateway mode,we found that 

TN received echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT) in some 

scenarios.

Version-Release number of selected component (if applicable):

  kernel-2.6.18-43.el5

Software Environment:   
  Testee(NUT):   
    RHEL5 
    Kernel:2.6.18-43.el5 
   
  Tester(TN):   
    FreeBSD6.2
    v6eval-3.0.12.tar.gz
   
TAHI package:    
  IPsec_Self_Test_P2_1-1-1.tar.gz

How reproducible:
  every time

Steps to Reproduce:    
  1. Configure TAHI test environment.     
  2. Run the TAHI test suite     
  3. After the test completes, check for the results 
  
Actual results:

   TN should receive no echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT)

Expected results:

   TN received echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT) 

Additional info:
  
   please refer to 

http://focus.brisbane.redhat.com/~zwu/ipsec_sgw/20071022/IPsec_Self_Test_P2_1-1-1_sgw/ipsec.p2/index.html

   (1) 11	6.1.9 Discard, ESP=3DES-CBC HMAC-SHA1
Comment 1 Zhiyong Wu 2007-11-02 05:22:05 EDT
   Also about it:

   when NUT is set to the host mode,

   pls refer to the url below:

http://focus.brisbane.redhat.com/~zwu/ipsec_endnode/20071028/IPsec_Self_Test_P2_1-1-1_end_node/ipsec.p2/index.html

   (1) 9	5.1.7 Discard, ESP=3DES-CBC HMAC-SHA1
Comment 3 Zhiyong Wu 2008-02-20 04:17:16 EST
the test case still FAIL On RHEL5.2

for more details, pls refer to 

http://focus.brisbane.redhat.com/~zwu/RHEL5.2-Server-20080212.0/20080220/IPsec_Self_Test_P2_1-1-2_end_node/ipsec.p2/9.html
Comment 6 shangyanfeng 2008-05-06 05:43:04 EDT
Created attachment 304614 [details]
the test result about ipsec Discard, ESP=3DES-CBC HMAC-SHA1,

this is the test for RHEL520430
ipsec-tools-0.6.5-9.el5 kernel 2.6.18-92.el5 on an i686
Comment 7 Lawrence Lim 2008-05-07 11:08:36 EDT
Thomas,
Is the discard policy support in the kernel?

Discard, ESP=3DES-CBC HMAC-SHA1
Comment 8 Thomas Graf 2008-05-07 11:31:02 EDT
Yes, although it is blocked not discarded. This test fails because the command
invoked to configure the discard policy does not succeed due to a syntax error
in the selector. It's a bug in either ipsec-tools or the test script.
Comment 9 Lawrence Lim 2008-05-07 23:50:42 EDT
Thanks Thomas.
Moving to ipsec-tools based on Comment #8 for further review. FYI. Discard is
one of the required option in IPSec conformance.
Comment 10 shangyanfeng 2008-05-08 00:55:09 EDT
Created attachment 304833 [details]
ps format result

the test result about ipsec Discard, ESP=3DES-CBC HMAC-SHA1,

this is the test for RHEL520430
ipsec-tools-0.6.5-9.el5 kernel 2.6.18-92.el5 on an i686
Comment 14 Red Hat Bugzilla 2008-07-07 21:24:08 EDT
Adding yshao@redhat.com to the cc list as the manager of the disabled user zwu@redhat.com who reported this bug
Comment 17 Tomas Mraz 2008-07-31 07:08:31 EDT
This is a bug in the test scripts. The spdadd any any any -P in discard command
to setkey is wrong.

The correct specification of any IPv6 address is ::/0 thus the command should be:

spdadd ::/0 ::/0 any -P in discard

For any IPv4 address you should use 0.0.0.0/0

Note that the discard means the packets will be discarded so the machine will
not be reachable over network anymore so I am curious how are these test scripts
supposed to work.

Note You need to log in before you can comment on or make changes to this bug.