Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-10.2
    • rhel-10.1
    • libreswan
    • libreswan-5.3-4.el10
    • No
    • Critical
    • rhel-security-crypto-spades
    • ssg_security
    • 7
    • 28
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto25-08, Crypto25-09, Crypto25-10, Crypto25-11, Crypto25-12, Crypto26-02, Crypto26-03
    • Approved Exception
    • Hide

      Consider the following scenario. Two sides of the connection, WEST and EAST, initiate connection simultaneously. Their IKE_AUTH request cross over the network.

      Suppose WEST is processing IKE_AUTH request from EAST.

      AC1) If WEST-initiated IKE SA is not yet established and has higher SPI than EAST-initiated IKE SA then WEST replies AUTHENTICATION_FAILED to EAST and continues establishing its own IKE SA.

      AC2) If WEST-initiated IKE SA is not yet established and has lower  or equal SPI than EAST-initiated IKE SA then WEST deletes its own IKE SA and continue by replying to IKE AUTH request from the EAST.

      AC3) If WEST-initiated IKE SA got established in a short time window then  WEST replies AUTHENTICATION_FAILED to EAST and continues establishing its own IKE SA.

      Show
      Consider the following scenario. Two sides of the connection, WEST and EAST, initiate connection simultaneously. Their IKE_AUTH request cross over the network. Suppose WEST is processing IKE_AUTH request from EAST. AC1) If WEST-initiated IKE SA is not yet established and has higher SPI than EAST-initiated IKE SA then WEST replies AUTHENTICATION_FAILED to EAST and continues establishing its own IKE SA. AC2) If WEST-initiated IKE SA is not yet established and has lower  or equal SPI than EAST-initiated IKE SA then WEST deletes its own IKE SA and continue by replying to IKE AUTH request from the EAST. AC3) If WEST-initiated IKE SA got established in a short time window then  WEST replies AUTHENTICATION_FAILED to EAST and continues establishing its own IKE SA.
    • Pass
    • Enabled
    • Automated
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      While testing IPsec with 250/500 node cluster, seeing traffic over IPsec tunnels are broken, it happens with few pair of nodes, caused by duplicate child SAs present on one end and corresponding SA not found on the other side.

      Slack thread: https://redhat-internal.slack.com/archives/C08DNAFC85T/p1745906230814439

      Libreswan upstream issue: https://github.com/libreswan/libreswan/issues/2184

      What is the impact of this issue to you?

      This is a kind of regression issue in OCP 4.19.0 on a scaled cluster, was not seen with Libreswan 4.6 in previous OCP releases.

      Please provide the package NVR for which the bug is seen:

      Libreswan 5.12

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      pod to pod connectivity should always work on a IPsec enabled cluster.

      Actual results

      pod to pod connectivity connectivity is broken.

              dueno@redhat.com Daiki Ueno
              pepalani@redhat.com Periyasamy Palanisamy
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              1 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated: