[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Thu Feb 22 17:29:25 EET 2024
New commits:
commit 07925c6c44fc2af7a0b9abf18b76630b78e1ff3e
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Feb 22 10:11:29 2024 -0500
routing: use .routing_sa to determine connection's owner
Replacing .{negotiating,established}_{ike,child}_sa and heuristics.
From the comments:
As a simple example:
<<ipsec route>>
- the unowned connection installs kernal trap policy and transitions
to on-demand
acquire
- an IKE SA is created, the trap policy is changed to block and
.routing_sa is set to the IKE SA; IKE_SA_INIT is initiated
IKE_SA_INIT response
- since the IKE SA owns the connection, a failed response deleting the
IKE SA will trigger revival
- the Child SA is created and .routing_sa is set to that; IKE_AUTH is
initiated
IKE_AUTH response
- since the Child SA owns the connection, a failed response (either
IKE or Child) triggers revival
- the Child SA installs the IPsec state/policy
Child SA deleted (or IKE deleting all children)
- since the Child SA owns the connection, it being deleted triggers
revival
note that this doesn't handle true crossing-streams as that requires
higher order logic.
commit 59fe05aed0c6139356ca4a0fd47e33d5ae61b836
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Feb 18 11:58:55 2024 -0500
testing: expect the Child SA to revive during IKE_AUTH
More information about the Swan-commit
mailing list