[Swan-dev] Fwd: dpddelay and dpdtimeout processing
paul at nohats.ca
Thu Feb 16 17:31:15 UTC 2017
On Thu, 16 Feb 2017, Oleg Rosowiecki wrote:
> Libreswan man pages state that dpddelay= has a default value of 30 and dpdtimeout= defaults to 120 seconds.
> This is different from the current behavior, i.e. if you try to leave out either of the settings (or both),
> both values are ignored and default to zeroes. Also, dpdaction= is ignored and defaults to "hold", as a
You are correct. While fixing the man page would be the quick fix, I
wonder what the best fix would be.
If we'd start from scratch, I would say dpdaction= defines whether or
not DPD/liveness is enabled, and dpddelay/dpdtimeout then become options
with default values.
The question is, can we make that change now without breaking backwards
compatibility. We might have people who defined dpdtimeout= and dpddelay=
and using the default action, who would no longer see any DPD happening.
We could also change it and add a bool dpd, so that specifying _any_ of
the 3 options enables DPD. Although that might also change people's
connection if they before had specified a delay without a timeout, but
arguably those people had a bad configuration to begin with that did not
do what they thought it would do.
So what preference do people have?
Option 1: require dpddelay= and dpdtimeout= and pick default dpdaction=hold [current behaviour]
Option 2: require dpdaction= and fill in delay/timeout defaults (implies dpdaction=none as default)
Option 3: Any dpddelay/dpdaction/dpdtimeout enables DPD and fills in defaults
Option 4: Require dpddelay or dpdtimeout and pickup default of the other option
Option 5: As Option 2, but specifying delay+timeout means implicit dpdaction=hold
I think I personally prefer Option 2. Most people will have specified a
dpdaction= I hope, especially on the server side where clear is not the
default and must be specified.
More information about the Swan-dev