cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
hifly
Visitor
Visitor
4,662 Views
Registered: ‎08-23-2010

IPSEC ESP & fragmentation

We have noticed problem with IPSEC ESP tunnel between two ML507.

They are connected in one network and each has it's own "safe" network.

IPSEC is encapsulating data from one "safe" network to another in ESP mode.

 

While sending bigger packets (like ping -n 2000) from host in one "safe" network to another, fragmentation error occurs.

Packet is well fragmented on 1st host to meet it's MTU requrement (2008B ICMP into 1514B and 562B).

First packet (1514B) is  encapsulated in two ESP packets (1514B and 114B). Second goes in one ESP packet (650B).

Probably two fragments of first packet are done wrong (they have different sequence id) and during de-capsulation the second one is dropped. Last ESP packet (650B) is recevied properly.

Problem can also be on the other ML507 device doing de-capsulation.

They both are PowerPC (big-endian) and we already found many bugs in Xilinx embedded Linux code involving big-endian architecture. It looks like, the main kernel testing area is little-endian.

 

We use Linux 2.6.37 from git.xilinx.com.

The problem does not affect PC (x86/x86_64) little-endian.

So, this can be Xilinx kernel problem or network big-endian problem.

 

Help!

 

0 Kudos
3 Replies
hifly
Visitor
Visitor
4,660 Views
Registered: ‎08-23-2010

And here is receiver capture file.

Don't know why, cannot attach two files at the same time...

0 Kudos
hifly
Visitor
Visitor
4,658 Views
Registered: ‎08-23-2010

And from sniffer int the middle...

0 Kudos
linnj
Xilinx Employee
Xilinx Employee
4,619 Views
Registered: ‎09-10-2008

I don't really understand what you mean as PowerPC we support is big endian and that's what we tested on.

 

Little endian is on MicroBlaze only. 

 

I don't know how well fragmentation is tested.

0 Kudos