[Swan-dev] IKEv2 revival
andrew.cagney at gmail.com
Fri May 1 15:52:49 UTC 2020
To make the problem more concrete, consider two connections c-1 and c-2
want to share the same IKE SA.
First, I believe liveness=hold and policy revive are in conflict. For
instance, say "c-1" triggers a liveness event which times out. Should
"c-1" follow liveness=hold or policy revival? What about when "c-1"'s
rekey fails? ...
Here are some scenarios and what happens today (vs yesterday). In each the
question is what _should_ happen.
- c-1 initiates; c-2 put on pending queue
-> retransmits call ipsecdoi_replace("c-1", try)
-? but what happens to c-2 remains on the pending queue?
- c-1 established; c-2 initiates (I'm assuming this uses retransmits)
-> retransmits call liveness_action("c-2") because the IKE SA is
established and "c-2" initiated the exchange
-> see above, what should happen to "c-1" and does it?
- c-1 established; c2 established; c-1 or c-2 triggers liveness
-> retransmits call liveness_action("c-1") because retransmits use the IKE
SA and the IKE SA is established and liveness action is called with
- c-1 established; c2 established; c-1 or c-2 rekey
-> retransmits call liveness_action("new c-") because the new child
initiated the exchange and the IKE SA is established
-> replace calls v2_event_sa_replace(st) - you need to read its comments -
I suspect it should queue up a delete exchange and then let retransmits
kill the IKE SA
tests would be nice
On Tue, 28 Apr 2020 at 12:05, Andrew Cagney <andrew.cagney at gmail.com> wrote:
> Adding to the list of functions that revive ...
> On Mon, 27 Apr 2020 at 12:06, Andrew Cagney <andrew.cagney at gmail.com>
>> I just pushed code to implement liveness probes using the retransmit
>> timer. When retransmits time-out:
>> - if the IKE SA hasn't established, it does a 'retry' using
>> ipsecdoi_replace(st, try)
>> - else, presumably the IKE SA is established, and it calls
>> liveness_action(); I suspect this doesn't handle multiple children, and
>> know it won't handle an IKE exchange timing out
>> (there's also add_revival(), but I'm not sure if that applies here? And
>> there's pending ...)
>> So my question is what should happen?
>> - are the established and not established paths really that different
>> (for instance an established IKE SA may have an incomplete CHILD SA)
>> - do established CHILD SAs linger so that the IPsec connection is 'up'
>> (even though evidence suggests it is dead)
>> - and I have to wonder what the difference between replace and pending is
> - a rekey (the obvious next candidate for doing proper retransmits) calls
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev