[Swan-dev] when to abort retransmits ?
Paul Wouters
paul at nohats.ca
Tue May 22 03:11:21 UTC 2018
On Fri, 18 May 2018, Andrew Cagney wrote:
>> I'm looking at a case where IKE_AUTH is fragmented, with iOS as
>> initiator and libreswan as responder. Something is wrong and
>> both ends seem to be just retransmiting the same packet:
>
> Grep for, and look carefully at, the incoming packet size. My (I
> should probably read the source code) guess is that iOS re-sent the
> the entire packet as 12 fragments but our end, not knowing how to deal
> with fragmented re-transmits, is responding immediately with the first
> packet each time.
All of it, both sides, resend the exact same sized packets. What has
happened is that both sides are in some state. The initiator did not
like our IKE_AUTH reply, so it retransmits. We don't even look at the
content. Since the msgid is the same, we determine this is a retransmit
and not a "new" or "different" IKE_AUTH (which the RFC doesn't allow
you to do anyways). And so we just retransmit our reply. Both ends have
no way of behaving differently until the iphone gives up entirely.
To me, it just seems a bit excessive
Paul
More information about the Swan-dev
mailing list