[Swan] /proc/sys/net/core/xfrm_larval_drop value

Matt Rogers mrogers at redhat.com
Fri Oct 11 22:42:36 EEST 2013 


----- Original Message -----
> From: "Paul Wouters" <paul at nohats.ca>
> To: "Tuomo Soini" <tis at foobar.fi>
> Cc: swan at lists.libreswan.org
> Sent: Friday, October 11, 2013 2:06:12 PM
> Subject: [Swan] /proc/sys/net/core/xfrm_larval_drop value
> 
> On Fri, 11 Oct 2013, Tuomo Soini wrote:
> 
> (adding swan list to discuss this issue)
> 
> >> echo 0 > /proc/sys/net/core/xfrm_larval_drop
> >
> > We should include this info to sysctl.conf sample we have...
> >
> > net.core.xfrm_larval_drop = 0
> 
> I'm not sure....
> 
> To recap for everyone, there is a problem when the larval value is set
> to 1, which is the modern default on kernels. You will see this issue
> when restarting libreswan:
> 
> ERROR: Module xfrm4_mode_transport is in use
> ERROR: Module esp4 is in use
> 
> The problem is that it can take up to 10 seconds for packets to arrive.
> This appears to be a problem in auto=route connections, those that are
> triggered on-demand.
> 
> The kernel XFRM maintainer/dev told us:
> 
>  	As far as I can see we still don't have any code for proper queueing on
>  	larval SAs so auto=route will drop packets until the SAs are in place.
>  	Now sometimes if the triggering even happened to be in a sleepable
>  	context everything will appear to work, but this is certainly not always
>  	going to be the case and may change from kernel version to kernel
>  	version on a whim.
> 
>  	It's happening is that your first TCP SYN packet triggers the IPsec
>  	lookup, however, the packet itself is dropped.  TCP then retransmits but
>  	it only gets through after the IPsec SAs are fully instated, resulting
>  	in the delay.
> 
>  	What happens in some kernels is that the IPsec trigger occurs in a
>  	sleepable context, which means that the sending process will wait for
>  	the IPsec SAs to be installed before sending the first SYN.  However,
>  	this was never meant to be a complete solution to supporting auto=route
>  	as it relies on the fact that there must be some sleepable context prior
>  	to the SYN packet being sent.
> 
>  	Evidently this is no longer the case
> 
>  	I will take this issue to the IPsec maintainer and the network
>  	maintainer to see if we can make adjustments to allow at least the TCP
>  	connection case to work with auto=route.  However, there is no guarantee
>  	that this will be done as we may not be able to insert the requisite
>  	sleepable context into the general network stack just so that IPsec
>  	auto=route can work.
> 
>  	Longer term for auto=route to be properly supported someone needs to
>  	implement packet queueing on larval SAs.
> 
> Now here is the problem. There is a workaround:
> 
>          echo 0 > /proc/sys/net/core/xfrm_larval_drop
> 
> This will ensure that the first retransmit of the SYN packet (+1s) should
> make
> it through, however it also causes connect() to return immediately on a
> non-blocking socket with an error.
> 
> So either way, badness is happening. Just a different kind of badness.
> Which one do we prefer?
> 
> The obvious solution is to have first+last packet caching with
> XFRM/NETKEY as we do in KLIPS. But we've been waiting on that for
> almost 10 years already.....
> 
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 

I think that having xfrm_larval_drop set to 0 is more badness because of the connect() behavior.
I've seen first-hand where people designing applications that run over IPsec are unaware
of xfrm_larval_drop and connect()'s behavior turns into a frustrating surprise.

More information about the Swan mailing list