[Click] IPsec on Click 1.8 leads system crashes

Dimitris Syrivelis jsyr at inf.uth.gr
Sat Aug 13 02:26:59 EDT 2011 

Hi Ahmed,

  You are using the second output port of RadixIPsecLookup illegally.
In the simple_ipsec.click you missed to read the usage description that is
prepended before the RadixIPsecLookup Entry:

"IP routing table. The 0,1,2 outputs are _reserved_ for the described usage
below in RadixIPsecLookup:
0: packets for this machine that may belong to an IPsec tunnel (if they don't
the RadixIPsecLookup code changes outgoing port to number 2 below)
1: packets for 18.26.8 via corresponding gateway (18.26.4.1) with which there
is an IPsec tunnel.
2: packets for this machine which cannot belong to IPsec tunnel (because they
originate from a 18.26.7).This port must be connected to
    linux stack"

Dimitris


> Hi Dimitirs,
>
> I tried to use RadixIPsecLookup  to include the required keys as follow :
>
> rt::RadixIPsecLookup(10.0.2.0/24 10.0.2.1 0,
>                                10.0.1.0/24 10.0.1.250 1 234
> ABCDEFFF001DEFD2354550FE40CD708E 112233EE556677888877665544332211 300 64);
>
>>
>>
>> pd00 :: PollDevice(eth5, PROMISC true) -> Strip(14) ->
>>
>> CheckIPHeader(INTERFACES 10.0.1.0/24)
>>      -> [0]rt;
>>
>> rt[1] -> IPsecESPEncap()
>>
>> -> IPsecAuthHMACSHA1(0)
>> -> IPsecAES(1)
>> -> IPsecEncap(50)
>> -> EtherEncap(0x0800,1:1:1:1:1:1,2:2:2:2:2:2) -> q00 :: CPUQueue(1000) ->
>> counte
>> r00 :: AverageCounter() -> td00 :: ToDevice(eth4);
>> StaticThreadSched(pd00 0, td00 0);
>> Idle -> ToDevice(eth5);
>> rt[0]-> Discard;
>
> But I got the follwoing error message :
> ahmed/aes.click:2: While configuring 'rt :: RadixIPsecLookup':
>  argument 2 should be 'ADDR/MASK [GATEWAY] OUTPUT'
> Router could not be initialized!
>
> I used the same syntax in the example. Do I miss something here ?
>
> Thanks and Regards,
> Ahmed
>
> On Fri, Aug 12, 2011 at 6:52 PM, ahmed A. <amego83 at gmail.com> wrote:
>
>> Hi Dimitirs,
>>
>> I tried to use RadixIPsecLookup  to include the required keys as follow :
>>
>> rt::RadixIPsecLookup(10.0.2.0/24 10.0.2.1 0,
>> 10.0.1.0/24 10.0.1.250 1 234 ABCDEFF
>> F001DEFD2354550FE40CD708E 112233EE556677888877665544332211 300 64);
>>
>> //pd00 :: FromDevice(eth5, PROMISC true) -> Strip(14) ->
>> pd00 :: PollDevice(eth5, PROMISC true) -> Strip(14) ->
>> //sisa0 :: SetIPsecAnno(234, ABCDEFFF001DEFD2, 112233EE55667788, 300, 64)
>> CheckIPHeader(INTERFACES 10.0.1.0/24)
>>      -> [0]rt;
>>
>> rt[1] -> IPsecESPEncap()
>>
>> -> IPsecAuthHMACSHA1(0)
>> -> IPsecAES(1)
>> -> IPsecEncap(50)
>> -> EtherEncap(0x0800,1:1:1:1:1:1,2:2:2:2:2:2) -> q00 :: CPUQueue(1000) ->
>> counte
>> r00 :: AverageCounter() -> td00 :: ToDevice(eth4);
>> StaticThreadSched(pd00 0, td00 0);
>> Idle -> ToDevice(eth5);
>> rt[0]-> Discard;
>>
>> On Fri, Aug 5, 2011 at 9:01 AM, Dimitris Syrivelis <jsyr at inf.uth.gr>wrote:
>>
>>> Hi,
>>>
>>> There is a .click  example file on IPsec:
>>>   http://www.read.cs.ucla.edu/click/examples/simple-ipsec.click
>>> There is also a small documentation on how it is implemented:
>>>   http://www.read.cs.ucla.edu/click/docs/ipsec-doc
>>>
>>>  In your config I see that your get raw ethernet frames from
>>> device and you attempt to directly encrypt them. IPsec implements
>>> layer 3 secure tunnels between gateways with agreed keys. You
>>> need RadixIPsecLookup in your flow to define keys and tunnel
>>> end points.
>>> A guess about your crashing is that since in your encryption key
>>> tuples do not exist (they are defined in RadixIPsecLookup), the
>>> IPsecElements
>>> fail to retrieve a valid tuple
>>> pointer from the annotation space, and this results in a segfault.
>>>
>>> Dimitris
>>>
>>>
>>>
>>> > You should provide the list with the console output to see where the
>>> crash
>>> > occurs.  One of the best ways is to setup a serial console and look
>>> > at the logs
>>> > on another machine to see where the crash occurs.
>>> >
>>> > Roman
>>> >
>>> > On Thu, 4 Aug 2011 16:33:15 +0200 "ahmed A." <amego83 at gmail.com> wrote
>>> >
>>> >> Hi,
>>> >>
>>> >> I am trying to run IPsec (just the encryption-side) with Click using a
>>> >> simple configuration file, but as soon as I install  the configuration
>>> file
>>> >> and start receiving packets, my system crashes.
>>> >> also, when I install the configuration file, I got the the following
>>> warning
>>> >> :
>>> >>
>>> >> # click-install ahmed/ipsec.click
>>> >> ahmed/ipsec.click:7: While configuring 'IPsecEncap at 6 :: IPsecEncap':
>>> >>   warning: IP header unaligned, cannot use fast IP checksum
>>> >>   (Try passing the configuration through 'click-align'.)
>>> >>
>>> >> my configuration file is as follows:
>>> >>
>>> >> pd00 :: FromDevice(eth5, PROMISC true) -> Strip(14)
>>> >> ->  IPsecESPEncap()
>>> >> -> IPsecAuthHMACSHA1(0)
>>> >> -> IPsecAES(1)
>>> >> -> IPsecEncap(50)
>>> >>
>>> >> -> EtherEncap(0x0800,1:1:1:1:1:1,2:2:2:2:2:2) -> q00 :: CPUQueue(1000)
>>> ->
>>> >> counter00 :: AverageCounter() -> td00 :: ToDevice(eth4);
>>> >>
>>> >> StaticThreadSched(pd00 0, td00 0);
>>> >>
>>> >> Idle -> ToDevice(eth5);
>>> >>
>>> >>
>>> >> I used click-align but I got the same system crashes too.
>>> >>
>>> >> If anyone can provide an example of how to use Click IPsec, that will
>>> be
>>> >> very useful for me. And any help or tips would be appreciated.
>>> >>
>>> >> Regards,
>>> >> Ahmed
>>> >> _______________________________________________
>>> >> click mailing list
>>> >> click at amsterdam.lcs.mit.edu
>>> >> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>>> >
>>> >
>>> > _______________________________________________
>>> > click mailing list
>>> > click at amsterdam.lcs.mit.edu
>>> > https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>>> >
>>>
>>>
>>> _______________________________________________
>>> click mailing list
>>> click at amsterdam.lcs.mit.edu
>>> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>>>
>>
>>
>

More information about the click mailing list