Project

General

Profile

Issue #3564

Out of order packets are generated if strong swan is running on multiple cores

Added by Sai Prashanth Ramanathan 3 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
kernel
Affected version:
5.8.4
Resolution:

Description

Issue : We are seeing "Out of Order" packets when strong swan is launched with 18 cores.

"Out of Order" packets issue is not seen when strong swan is launched with 1 core.

Environment : Ubuntu
IPSec end points : Strong Swan and SRX 4600

root@regress:/home/regress# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

Strong swan runs on Ubuntu OS with 18 CPUs dedicated for strong swan. When end to end traffic is pumped, strong swan generates out of order packets. All the required outputs/logs/pcaps are attached.

The packets' sequence number are off by 500+ packets, below is the snippet of the capture, complete one is in the attachment.

20:04:37.931956 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.931959 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932003 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480 <<<<<<<<<< 0x20f3a0bd and 0x20f3a0be are missing
20:04:37.932072 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932124 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932174 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932177 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932223 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932226 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932273 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932276 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932325 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932328 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932329 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932374 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932424 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932427 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932429 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932475 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932478 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932525 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932528 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932575 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932580 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932624 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932627 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.932628 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480

...

20:04:37.957739 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957740 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957785 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957787 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957834 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957837 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957886 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957888 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957890 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957935 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957986 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.957989 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958036 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958038 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958085 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958088 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958137 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958139 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958186 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958188 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.958238 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.960869 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480 >>>>>>>>>>>>>>>>>> off by 500+ packets
20:04:37.960918 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480 >>>>>>>>>>>>>>>>>> off by 500+ packets
20:04:37.960920 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.960967 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480
20:04:37.960970 IP 14.1.2.4 > 13.1.2.1: ESP, length 1480

When strong swan is dedicated only 1 CPU, out of order packets are not generated.

Please let us know how to get strong swan to send packets in order when it is running on multiple cores.

sswan_outputs.rtf (9.31 KB) sswan_outputs.rtf Sai Prashanth Ramanathan, 15.09.2020 12:33
ss_gen_ooo_packets.txt (44.3 KB) ss_gen_ooo_packets.txt Sai Prashanth Ramanathan, 15.09.2020 12:49

History

#1 Updated by Sai Prashanth Ramanathan 3 months ago

Required outputs attached - ipsec statusall/ swanctl -l / iptables-save / ip route show table all / ip address

#2 Updated by Sai Prashanth Ramanathan 3 months ago

Capture on a middle VM ( between strong swan and SRX ) which proves StrongSwan generates out of order packets.

#3 Updated by Tobias Brunner 3 months ago

  • Category set to kernel
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Issue : We are seeing "Out of Order" packets when strong swan is launched with 18 cores.

First, strongSwan only handles IKE, it does not handle ESP/traffic, the Linux kernel does. So if you think something should be changed, contact the kernel developers (netdev mailing list).

However, IPsec has the same semantics as IP, there is no order and delivery is not guaranteed. The sequence numbers are only used to prevent replay attacks, not to order packets or for retransmits etc.

#4 Updated by Sai Prashanth Ramanathan 2 months ago

Thanks for the response Tobias.

I will reach out to kernel developers and seek their response.

Also available in: Atom PDF