[Swan-dev] drop ipsec-auto-up.n.sed

Andrew Cagney andrew.cagney at gmail.com
Mon Sep 28 20:18:03 UTC 2020 

On Mon, 28 Sep 2020 at 15:11, Antony Antony <antony at phenome.org> wrote:

> On Mon, Sep 28, 2020 at 12:44:03PM -0400, Andrew Cagney wrote:
> > I'm planning on removing the sanitizer ipsec-auto-up.n.sed.  It removes
> what I
> > consider to be important contextual  information from console.txt.  For
> > instance, consider this output:
>
> I think it is a usefull swanitizer. May be tweak need more tweaking, also
> it
> can be skiped easly; see bellow.
>

It's a bandaid hiding non-deterministic behaviour.

Either the re-transmit is relevant, and it should be retained, but made
more robust; or the retransmit is not relevant and can be suppressed.  This
sanitizer does neither.  It removes half the exchange obfuscating the
output.  For instance, when nss-cert-crl-03-strict fails it produces this
diff:

https://testing.libreswan.org/v3.30-1834-g8b42ce739b-main/nss-cert-crl-03-strict/OUTPUT/west.console.diff

--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -41,8 +41,6 @@
 1v1 "nss-cert-crl" #1: sent Main Mode I3
 003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
 003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
-003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
-003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department,
CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'
 002 "nss-cert-crl" #1: certificate verified OK:
E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1

so per my point:

> --- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
> > +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
> > @@ -41,8 +41,10 @@
> >  1v1 "nss-cert-crl" #1: sent Main Mode I3
> >  003 "nss-cert-crl" #1: ignoring informational payload
> INVALID_ID_INFORMATION,
> > msgid=00000000, length=12
> >  003 "nss-cert-crl" #1: received and ignored notification payload:
> > INVALID_ID_INFORMATION
> >  003 "nss-cert-crl" #1: ignoring informational payload
> INVALID_ID_INFORMATION,
> > msgid=00000000, length=12
> >  003 "nss-cert-crl" #1: received and ignored notification payload:
> > INVALID_ID_INFORMATION
> >  002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=
> > Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
> E=
> > user-east at testing.libreswan.org'
> >  002 "nss-cert-crl" #1: certificate verified OK: E=
> > user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
> >  003 "nss-cert-crl" #1: authenticated using RSA with SHA-1
> >
> > the duplicate "ignoring informational payload" seems to be from the
> other end
> > spontaneously sending duplicates (this is IKEv1 after all), and things
> take
> > time to establish because the other end was slow.  However, once
> retransmits
> > are visible:
> >
> > --- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
> > +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
> > @@ -41,8 +41,10 @@
> >  1v1 "nss-cert-crl" #1: sent Main Mode I3
> >  003 "nss-cert-crl" #1: ignoring informational payload
> INVALID_ID_INFORMATION,
> > msgid=00000000, length=12
> >  003 "nss-cert-crl" #1: received and ignored notification payload:
> > INVALID_ID_INFORMATION
> > +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5
> seconds
> > for response
> >  003 "nss-cert-crl" #1: ignoring informational payload
> INVALID_ID_INFORMATION,
> > msgid=00000000, length=12
> >  003 "nss-cert-crl" #1: received and ignored notification payload:
> > INVALID_ID_INFORMATION
> > +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 1
> seconds for
> > response
> >  002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=
> > Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
> E=
> > user-east at testing.libreswan.org'
> >  002 "nss-cert-crl" #1: certificate verified OK: E=
> > user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
> >  003 "nss-cert-crl" #1: authenticated using RSA with SHA-1
> >
> > it looks more likely that the re-transmit triggered forward progress.
> > Similarly, but in contrast:
>
> I guess you are saying in this test retransmits is expected.
> Change the "up" line to something like the following
>
> ipsec auto --up nss-cert-crl #retransmits
>
>
And it does not help.  The test is still non-deterministic - it will
pass/fail dependent on timing.

While you can certainly selectively use this sanitizer for specific cases,
please don't apply it across all tests.  The last thing needed is for
critical output - notably that a retransmit occured - to magically
disappear.


and the sanitizer would leave the output alone.
>
> > --- MASTER/testing/pluto/ikev2-keyingtries-01/west.console.txt
> > +++ OUTPUT/testing/pluto/ikev2-keyingtries-01/west.console.txt
>
> as far as I see this test also need #retransmits after the up.
> So these two test cases could be fixed!
>
> PS: previous discussion:
> https://lists.libreswan.org/pipermail/swan-dev/2020-February/003664.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200928/7073f012/attachment-0001.html>

More information about the Swan-dev mailing list