[Soekris] vpn1411 on NET4801 - SSH: Corrupted MAC on input
David Young
dyoung at pobox.com
Fri Nov 10 10:24:35 UTC 2006
On Wed, Nov 08, 2006 at 06:49:17PM -0500, Austin Murphy wrote:
> On 10/20/06, der Mouse <mouse at rodents.montreal.qc.ca> wrote:
> > But I know that when I used NetBSD on a 4801 with a 1411, I
> > got corrupted MAC on input crashes from ssh, which went away when I
> > removed the 1411. Maybe it wasn't, strictly, a hardware problem; I
> > don't know. But there definitely was a problem.
> >
> > This was a year or two back, back about the time I subscribed to this
> > list -
>
> I would like to add that I also get the dreaded "Corrupted MAC on
> input" with my 4801 + 1411 combination, both with OpenBSD 3.9 GENERIC
> and 4.0 GENERIC.
>
> I don't have the problem when I:
> - take the 1411 out of the 4801, or
> - select the blowfish cipher (which doesn't use the hifn chip in the
> 1411) on the SSH command line.
>
> Sometimes the error occurs only after a long session of spitting out
> data, but it frequently happens just after I login or after a few key
> strokes. Having someone else login at the same time tends to make it
> worse, but I can't really quantify it.
>
> Does *anyone* have a working 4801 + 1411 combo, where SSH uses the
> HiFn crypto accelerator?
>
> The error message seems to be specific to OpenSSH-on-OpenBSD. Does
> anyone have a similar problem with SSL or VPN connections or other
> OS's?
I saw "Corrupted MAC on input" just the other day. I had logged into a
NetBSD wireless router. No crypto accelerator was involved. I'd never
seen it before. I have not seen it since.
A friend tells me he saw that error quite often on Linux. His best
guess was that it happened in the (very!) rare event that a damaged
packet passed both the 802.11, IP, and TCP checksums.
OpenSSH could fail a bit more gracefully, discarding the particular
inputs that fail its integrity check, but sending a NACK, giving the
sender the opportunity to retry.
Dave
--
David Young OJC Technologies
dyoung at ojctech.com Urbana, IL * (217) 278-3933
More information about the Soekris-tech
mailing list