[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Thu Oct 25 17:39:12 UTC 2018
New commits:
commit 73cf70afaeff65aa6411239e6d66b8f0bd59a38d
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Oct 23 17:01:23 2018 -0400
ikev2: replace ikev2_need_*_proposals() with get_v2_*_proposals()
Three different proposals are generated. For the IKE SA:
get_v2_ike_proposals()
and for the CHILD SA, because the proposal used during IKE_AUTH and
CREATE_CHILD_SA are invariably different (former never has DH, latter
can have IKE SA's DH):
get_v2_ike_auth_child_proposals()
get_v2_create_child_proposals()
The proposals are generated on-demand. They are cached in, and logged
against, the connection. It's assumed for instance that: that a
connection, once created, doesn't change; and when multiple CHILD SA
connections share an IKE SA there's no good reason for generating IKE
proposals.
Because a CHILD SA's proposals, created for a CREATE_CHILD_SA
exchange, can depend on both the connection and the IKE SA's DH
algorithm, the DH algorithm used to generate the proposals is also
saved in the connection. The assumption is that, while technically
dynamic, it doesn't change often. The alternative is to save it in,
and copy it between the child states.
Remove comments troubled by IKEv1.
More information about the Swan-commit
mailing list