[Swan-commit] Changes to ref refs/heads/master

Antony Antony antony at vault.libreswan.fi
Thu May 10 23:10:26 UTC 2018


New commits:
commit 4ab2853a9e887cef89a71e3fc2de735121fa1b2e
Merge: 1e442f5 47abc56
Author: Antony Antony <antony at phenome.org>
Date:   Fri May 11 01:08:28 2018 +0200

    Merge branch 'ikev2-rekey'
    
    IKE SA rekeying, RFC7296 1.3.2, initiator
    IPsec SA rekeying,  RFC7296 1.3.3, initiator
    IKE reauth=no|yes RFC7296  2.8.3 keyword

commit 47abc56316177bd679417619fc5ee5c07645951c
Author: Antony Antony <antony at phenome.org>
Date:   Fri May 11 01:05:25 2018 +0200

    copyright: for rekey merge

commit c8d1f974225833bc843fe4c9aa619f88c537ae0f
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 24 18:50:29 2018 +0000

    testing: ikev2 tests fixes due ike-rekey branch
    
    - some tests are redundant because they default to rekey now
    - other ones need change to description and comments reauth -> rekey
    - lots of state number changes with pluto's support of rekey

commit 543fc17b3961af4c9709090bf864dc2e7b9df8f9
Author: Antony Antony <antony at phenome.org>
Date:   Tue Dec 19 21:17:15 2017 +0100

    testing: ikev2 rekey new tests

commit 96f7ce8b0c75f0007783f546968ca82755fe22dc
Author: Antony Antony <antony at phenome.org>
Date:   Fri Apr 20 13:14:18 2018 +0200

    ikev2: drop the duplicate response to CREATE_CHILD_SA request, initiator
    
    crypto is busy processing the previous response, drop the new one.

commit b1db6fb611bf5a58f521ccd2163131626580cc83
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 10 17:03:55 2018 +0200

    ikev2: drop/hadle retransmission CREATE_CHILD_SA requests on responder

commit 330e8e512c9960044aae7ddd3b805fe8ffee1132
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 4 18:01:05 2018 +0200

    ikev2: log possible message id deadlock
    
    If this get logged too often, due to lost Liveness/DPD, we need a better fix
    to avoid messages id deadlock.
    
    pluto is increase message id for every Liveness/DPD.
    If a message/response is lost, the message should be retransmitted,
    without increamenting message id.
    This is possibly an invasive chage, pluto may need seperate buffers for tx and rx
    message. Current design is one tpacket, which store request sent and
    response sent.

commit 7556e54c657e8df531cb6e37213122ff8ec24b8a
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 20 19:29:18 2018 +0100

    ikev2: initiate rekey, IKE SA and IPsec SA
    
    add RFC7296 1.3.2 initiator support
    add RFC7296 1.3.3 initiator support
    reauth=no|yes RFC7296 2.8.3 (initiate IKE SA reauthentication)

commit a14d8cf3cbfff30101c2f6d01d2174487ce48d1a
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 24 19:24:37 2018 +0100

    ikev2: flush incomplete IKE rekey initiator state.
    
    It has different cookies than the parent, reset past and give new start.

commit 0dd4d7ffe7a47b72981808b164bc85633277c561
Author: Antony Antony <antony at phenome.org>
Date:   Tue Dec 19 18:32:51 2017 +0100

    ikev2: get around null policy replacing

commit 5ef971bb85bc33e9ef064a7390de201224736f21
Author: Antony Antony <antony at phenome.org>
Date:   Mon Dec 18 22:47:10 2017 +0100

    ikev2: change the workaround 1b9125b35b8 to allow CREATE_CHILD_SA
    
    This commit's side effect is, it will catch any replacing IKEv2 IPsec SA
    and initiate new IKE. Which do not go well with CREATE_CHILD_SA IPsec rekey
    or IPsec SA sharing IKE SA
    
    I think CREATE_CHILD_SA support already fixed what 1b9125b35b8 fixed.

commit 033479c2ab1f3bdfa054a53896f7e242a2ec1144
Author: Antony Antony <antony at phenome.org>
Date:   Mon Dec 18 10:47:24 2017 +0100

    ikev2: extra check for responsess

commit 2c5c790a95a85678578e497ca1672598ce2011c5
Author: Antony Antony <antony at phenome.org>
Date:   Fri Apr 20 14:43:59 2018 +0200

    ikev2: refactor v2N_CP and TS response processing

commit 161be58ed5c6a6c3ae47e0f6b06fcf755df81627
Author: Antony Antony <antony at phenome.org>
Date:   Mon Dec 18 18:07:36 2017 +0100

    ikev2: pick viable parent to initiate CREATE_CHILD_SA
    
    Before starting new CREATE_CHILD_SA check viability of the parent.
    Once the parent is about to expire, being renewed do not start new
    CREATE_CHILD_SA exchange.
    
    rekeymargin=0s is a corner case. You will need at lease 2s
    may be enforce it in add_conn?



More information about the Swan-commit mailing list