[Swan-dev] when to abort retransmits ?

Paul Wouters paul at nohats.ca
Tue May 22 15:01:01 UTC 2018

On Tue, 22 May 2018, Andrew Cagney wrote:

> The same packet len, or the same packet?  It doesn't take much for
> fragments to all be the same size.

> Per earlier post, pluto, looking at send_recorded_v2_ike_msg() should
> send all the fragments (unfortunately there's no debug log to confirm
> this, just lots of same-sized sends).

I don't know. I will see if I still have the logs.

> However, where pluto is screwing up is by not also checking the
> fragment number.  It should only re-transmit on reception of the first
> (or last?) fragment.  Sending all fragments back for every fragment
> received is excessive.

Possibly it should wait until it has received a whole list of fragments?

> You're suspecting that the iPhone can't decrypt the fragmented reply,

No. I think it can decrypt it fine, but didn't like the content. For
example an AUTH failure of the responder.

> or never gets one of the fragments?  If the iPhone did receive all the
> fragments but didn't like the auth then it should come back with a new
> informational(delete) exchange.

Depends on the kind of AUTH failure? If it is a CA it doesn't trust
sure. But if the AUTH failed integrity, then perhaps the packet was
mangled and it should try and get a new copy via retransmit ?


More information about the Swan-dev mailing list