[Swan-dev] parent and child's responsibilities
D. Hugh Redelmeier
hugh at mimosa.com
Sat Jun 20 20:56:52 EEST 2015
| From: Paul Wouters <paul at nohats.ca>
| On Sat, 20 Jun 2015, D. Hugh Redelmeier wrote:
|
| > I'm trying to fix IKEv2's inI2 ourR2 logic (after I broke it).
|
| What was the effect of the break? Dose this explain our missing packets?
Amusingly, the symptom was UDP packets with no IKE content, just UDP
headers / pseudo headers.
So: no such luck.
It might only be in my tree. I think that we want my tree since it
does fix some other problems. I'm trying to test it now (as you might
gather from all my whining).
| > Confusingly, they seem to both be in STATE_PARENT_R2. That seems wrong.
| > Very wrong.
|
| This has been a known issue and the core of why we need to fix the state
| names.
I wanted new state names for less important reasons. I had forgotten
how bad this is.
| Can we get to a temporary state where we do still send the packets
| without overhauling the state machine?
Oh yeah. Fixed in my tree. Easy, once I understood the Cups and
balls game that was going on.
<https://en.wikipedia.org/wiki/Cups_and_balls>
| > Code after other calls to ikev2_parent_inI2outR2_auth_tail ought to be
| > checked.
I fixed code after the other call.
| > In v1, the st_tpacket logic was used for retransmission. In IKE V2, inI2
| > out R2 is a responder state and will never do any retransmitting. So it
| > kind of doesn't matter if the st_tpacket/st_tfrags values persist. Unless
| > they are used as IV-like objects (I don't think that they are).
|
| I don't think so? I'm not sure what you mean with IV-like objects. I
| think any kind of IV for IKE is stored in specific st_ variables or
| remains within the nss symkeys.
Look at the way st_firstpacket_me is used in
ikev2_calculate_rsa_sha1 and st_firstpacket_him in
ikev2_verify_rsa_sha1 and ikev2_verify_psk_auth. That's "IV-like".
| But is this teh cause of the missing packets, or the solution of the
| missing packets? I'm completely lost now.
It fixes some things. We should know more when testing is done and
analyzed. A rocky process.
More information about the Swan-dev
mailing list