[Swan-dev] Pluto mysteries that need solving

Antony Antony antony at phenome.org
Thu Oct 30 20:33:35 EET 2014


the immediate bug should be addressed by d4508e8a2968a309e2aa815390864ca3efaf4733

Hugh's commit 695af25112cdd1561e71b75cf6f054b76c66907a made it easier for me.

dpd action clear appear simple.  It just terminate itself, one connection.

dpd/liveness action restart is not well defined? It is looks simple, however, when you think of corner cases it looks weird to me.

It looks like restart may terminate connections with dpd action is none too. 
Also if dns names resolves to multiple ip addresses and different connections goes different IP addresses we may kill all of them.

regards,
-antony

On Thu, Oct 30, 2014 at 01:25:16PM -0400, Paul Wouters wrote:
> On Wed, 29 Oct 2014, D. Hugh Redelmeier wrote:
> 
> >|     - connection.c's update_host_pairs has some mysteries.
> >|
> >|     - initiate.c's ISAKMP_SA_established looks wrong (asymmetry)
> 
> What Antony and I noticed is that there is something going on with
> leaving traps when we did not expect any. This affects dpdaction's
> in both IKEv1 and IKEv2, although some code seems to be version
> specific.
> 
> In the old days, instances (c->kind == CK_INSTANCE) were easy. These
> were instantiations of a "group connection". Either an opportunistic
> policy group or a connection supporting roadwarriors with right=%any.
> And if the instance reach its end of life, it could simply be terminated
> without a trace.
> 
> wildcards were added (eg rightid="C=CA, O=Libreswan, CN=*") which were
> meant for groups of roadwarriors but can actually appear on "permanents"
> (eg the previous rightid with wildcard with right=1.2.3.4). This was
> never meant to be, and when we kill the instance, we might need a trap
> but is the trap on the template or on the instance?
> 
> protoports also cause instantiation (rightprotoport=7/%any) which also
> is not a "traditional" instance type. It has similar problems.
> 
> When we added support for IKEv2 narrowing using narrowing=yes, where
> a reduced protoport and subnet is negotiated, we also used
> instantiation. Again, this causes problems, and now in even more weird
> ways - you cannot even leave a %trap to catch packetleak because you
> don't know if the next connect will actually cover the same IPs and
> ports. And on top of that, this is an instance kind that is allowed
> to initiate.
> 
> It might make sense to identify these different c->kind's as being
> different kind of instances, so we can distinguish between "single
> instances" and "group instances". These two groups require quite
> different cleanup actions.
> 
> These different instantiations are related to the bugs we are now seeing
> with IKEv2 when we look at rekeying/expiring. Some of the combinations
> of rekey and templates make no sense (right=%any and rekey=yes, or
> rekey=no and dpdaction=restart)
> 
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
> 


More information about the Swan-dev mailing list