[Swan-dev] IKEv2 revival

Andrew Cagney andrew.cagney at gmail.com
Fri May 1 15:52:49 UTC 2020

To make the problem more concrete, consider  two connections c-1 and c-2
want to share the same IKE SA.

First, I believe liveness=hold and policy revive are in conflict.  For
instance, say "c-1" triggers a liveness event which times out.  Should
"c-1" follow liveness=hold or policy revival?  What about when "c-1"'s
rekey fails? ...

Here are some scenarios and what happens today (vs yesterday).  In each the
question is what _should_ happen.

- c-1 initiates; c-2 put on pending queue
-> retransmits call ipsecdoi_replace("c-1", try)
-? but what happens to c-2 remains on the pending queue?

- c-1 established; c-2 initiates (I'm assuming this uses retransmits)
-> retransmits call liveness_action("c-2") because the IKE SA is
established and "c-2" initiated the exchange
-> see above, what should happen to "c-1" and does it?

- c-1 established; c2 established; c-1 or c-2 triggers liveness
-> retransmits call liveness_action("c-1") because retransmits use the IKE
SA and the IKE SA is established and liveness action is called with

- c-1 established; c2 established; c-1 or c-2 rekey
either of
-> retransmits call liveness_action("new c-[12]") because the new child
initiated the exchange and the IKE SA is established
-> replace calls v2_event_sa_replace(st) - you need to read its comments -
I suspect it should queue up a delete exchange and then let retransmits
kill the IKE SA

tests would be nice

On Tue, 28 Apr 2020 at 12:05, Andrew Cagney <andrew.cagney at gmail.com> wrote:

> Adding to the list of functions that revive ...
> On Mon, 27 Apr 2020 at 12:06, Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
>> I just pushed code to implement liveness probes using the retransmit
>> timer.  When retransmits time-out:
>> - if the IKE SA hasn't established, it does a 'retry' using
>> ipsecdoi_replace(st, try)
>> - else, presumably the IKE SA is established, and it calls
>> liveness_action(); I suspect this doesn't handle multiple children, and
>> know it won't handle an IKE exchange timing out
>> (there's also add_revival(), but I'm not sure if that applies here?  And
>> there's pending ...)
>> So my question is what should happen?
>> - are the established and not established paths really that different
>> (for instance an established IKE SA may have an incomplete CHILD SA)
>> - do established CHILD SAs linger so that the IPsec connection is 'up'
>> (even though evidence suggests it is dead)
>> - and I have to wonder what the difference between replace and pending is
> - a rekey (the obvious next candidate for doing proper retransmits) calls
> v2_event_sa_replace()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200501/56cdf51f/attachment.html>

More information about the Swan-dev mailing list