[Swan-dev] Q: mobike on kernel without mobike: load or not load the connection

Paul Wouters paul at nohats.ca
Wed Jun 12 16:12:25 UTC 2019 

On Wed, 12 Jun 2019, Antony Antony wrote:

>> - if local connection has mobike=yes but kernel support disabled -> fail
>>   to load the connection. IPsec tunnel fails
>> - if local connection has mobike=yes but IKE negotiation resulted in
>>   peer not supporting mobike -> succeeds connection but without mobike
>>
>> The question is whether in the first case, we shouldn't really just
>> setup the connection but without mobike, perhaps log a big warning?
>
> When an end knows the kernel do not suppor mobike and respond or initiate
> with MOBIKE support, it is lying in the negotiation. It clearly know a
> feature can't be supported.

If mobike is not supported by our kernel, it should not send the MOBIKE
notify. But it should still load the connection that has mobike=yes

> 1. To me that is gross violation in ike negotiation. The concept should be if
> you send a notify honer it when time comes.
> 2. IKE is a hard to debug, especially from the other side, protocol by
> design. Early, clear, failure is a good idea.
> In this case sending a mobike supported notify and doing weird things when
> the other end actually request it, it is bad idea for IKE.

That is not what I was suggesting.

> 3. I don't understand someone want to keep unsupported options in
> connection. Are they copy pasting connection between supported and
> unsupported?

Most users copy options from documentation or web pages. But I would
even argue that if we know we are an IKEv2 client going to do CP, that
is we are a "remote access client", it should default to mobike=yes.

> I know this breaks our left/right argument if one side support and the other
> do not.

That too. But also people might get a kernel update that accidentally
doesn't have the support. I see no reason why the whole connection
should fail completely, instead of only mobike not getting deployed.

>> What do people prefer? Close 221 without changes and keep current
>> situation, or change code to allow loading the connection and bringing
>> it up without mobike ?
>
> first one. Do not lie in IKE negotiations.

We don't lie (or if we do, we should fix that as a bug). The situation
we seem to be disagreeing on is:

- We don't support XFRM_MIGRATE
- The conn has mobike=yes

Should we:

A) Load the conn, don't send N(MOBIKE) because we don't support it, and
    establish a conn without mobike

or:

B) Fail to load the conn

Paul

More information about the Swan-dev mailing list