[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Thu Nov 22 21:33:01 UTC 2018
New commits:
commit 64ba880d537ded478f1b9cf09d445aeb9525f1ff
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Nov 22 14:42:21 2018 -0500
ikev2: explicitly exclude re-keyed IKE SA when migrating children
Because TO is a child of FROM (it hasn't yet been emancipated) it will
share FROM's hash slot and hence needs to be excluded (The old code
zapped TO.st_clonedfrom to 0 and then migrated the children, the new
code migrates the children and then emancipates TO zapping
.st_clonedfrom).
But things seem to work!?!
Right. It turns out that TO was hashed using the new IKE SPIs and not
the old. Consequently, in all probability, it won't share FROM's hash
slot.
But this violates the the assumption that all of FROM's "children" (TO
hasn't been emancipated) are easy to find and, more importantly,
delete!
Right. In fact this is likely one reason why child states sometimes
loose their parent. For instance, the IKE SA re-key responder will
first hash the replacement using the new IKE SPIs and then suspend the
state while KE is performed. If the old IKE SA is then be deleted,
the re-key state will be missed, only to later "barf" when it
discovers its parent has gone.
More information about the Swan-commit
mailing list