[Swan-dev] Fwd: dpddelay and dpdtimeout processing

Paul Wouters paul at nohats.ca
Thu Feb 16 17:31:15 UTC 2017

On Thu, 16 Feb 2017, Oleg Rosowiecki wrote:

> Libreswan man pages state that dpddelay= has a default value of 30 and dpdtimeout= defaults to 120 seconds.
> This is different from the current behavior, i.e. if you try to leave out either of the settings (or both),
> both values are ignored and default to zeroes. Also, dpdaction= is ignored and defaults to "hold", as a
> consequence.

You are correct. While fixing the man page would be the quick fix, I
wonder what the best fix would be.

If we'd start from scratch, I would say dpdaction= defines whether or
not DPD/liveness is enabled, and dpddelay/dpdtimeout then become options
with default values.

The question is, can we make that change now without breaking backwards
compatibility. We might have people who defined dpdtimeout= and dpddelay=
and using the default action, who would no longer see any DPD happening.

We could also change it and add a bool dpd, so that specifying _any_ of
the 3 options enables DPD. Although that might also change people's
connection if they before had specified a delay without a timeout, but
arguably those people had a bad configuration to begin with that did not
do what they thought it would do.

So what preference do people have?

Option 1: require dpddelay= and dpdtimeout= and pick default dpdaction=hold  [current behaviour]
Option 2: require dpdaction= and fill in delay/timeout defaults (implies dpdaction=none as default)
Option 3: Any dpddelay/dpdaction/dpdtimeout enables DPD and fills in defaults
Option 4: Require dpddelay or dpdtimeout and pickup default of the other option
Option 5: As Option 2, but specifying delay+timeout means implicit dpdaction=hold

I think I personally prefer Option 2. Most people will have specified a
dpdaction= I hope, especially on the server side where clear is not the
default and must be specified.


More information about the Swan-dev mailing list