[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Tue Sep 28 20:59:28 UTC 2021
New commits:
commit 18cac04c781e03f03739dbf74771f52adfa286ab
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Sep 28 16:59:19 2021 -0400
update CHANGES
commit 9f6f83556c089f4e2c8b979631445aff770168be
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Sep 28 14:56:28 2021 -0400
ikev2: when rekeying a Child SA, only propose the old crypt-suite
except (the fine print):
- when MSDH_DOWNGRADE, also propose the old crypto suite minus DH
- when there's no PFS, propose everything
commit e12b6c14069ac019d0ee5375fcc1f5c742ef9657
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Sep 28 13:43:15 2021 -0400
ikev2: drop the Child SA's proposal cache
Doesn't help when, presumably, it matters most:
- rekeying PFS, where the Child SA's proposal includes the DH
algorithm that is only determined during the IKE_SA_INIT exchange
- template connections, where each Child SA has its own connection
instance making sharing difficult
Instead generate and store each CREATE_CHILD_SA exchange's proposals
in the state (note: this doesn't fix what is proposed).
More information about the Swan-commit
mailing list