Date: Mon, 3 Nov 2014 15:18:56 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: Evan Gilman <evan@pagerduty.com>
Cc: steffen.klassert@secunet.com, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, mwoodson@redhat.com
Subject: Re: Sporadic ESP payload corruption when using IPSec in NAT-T
 Transport Mode
Message-ID: <20141103071856.GA28745@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALEwOppDfAHV2rghk_nO2Xbjqxd=cbUeW7oWOkAgZtcmjPdHuQ@mail.gmail.com>
Organization: Core
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org

Evan Gilman <evan@pagerduty.com> wrote:
>
> I tried to find a reference to the previous report of aesni-intel
> causing IPSec corruption under Xen - I'd be interested to read it if
> anyone here has it on hand. For now, we are looking to blacklist
> aesni-intel as we have no other suitable solution, and when combined
> with our other bug, has a detrimental effect on our infrastructure.

Unfortunately the bug is marked as private but it's

https://bugzilla.redhat.com/show_bug.cgi?id=1085025

FWIW it was also observed on AWS.  There is speculation that
switching to HVM may fix it.  If that were the case, then it's
highly likely that this is a bug in the Xen paravirt code.

It would also mean that if you cannot switch over to HVM then
the most appropriate fix would be to not use aesni-intel.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/