[Swan-dev] WIP: supporting xfrm SA expire

Paul Wouters paul at nohats.ca
Mon Apr 5 17:22:39 UTC 2021


On Mon, 5 Apr 2021, Antony Antony wrote:

> Here is my sa expire branch rebased to main.
>
> #sa-expire
> https://github.com/antonyantony/libreswan/tree/sa-expire

Thanks! I had a look and I think it looks pretty good.

> It need a bit more work to merge to main. I look the code again and fix
> "FIXME". It also need more tests.
>
> If you feel like helping add more tests. This would help to get the
> branch ready to merge sooner than later.

I'm working on that now.

I noticed you used salifebytes= and salifepackets=. I think it would be
more intuitive to call these maxbytes= and maxpackets. Or limit-bytes=
or bytelimit= and packet-limit= ?

Similarly, where strongswan has inactivity= I think idletimeout= or
idle-timeout= would be more clear? I wouldn't call in inactive because
the tunnel is "active" (or "up") - there is just no traffic happening.

I do understand why you added the "sa" prefix, because we in theory also
have these options on the IKE SA (for FIPS compliance), but I think
those maximums could just be hardcoded to a much lower count and might
never need to be user configurable? Like wouldn't 1Gbyte of IKE
traffic be a good time to re-auth or rekey-with-pfs ? In which case it
might make sense to omit the "sa" prefix for the regular admin?

I'm glad to see you decided on configuring soft timeouts at a fixed (80%)
rate of hard limits. I was also hoping to not have an option for this.

I will look at adding some logging based on hitting soft and hard timer.
Right now, one just sees a rekey but there is no message as to why.

And I'll add an impair test that stalls and rekeying so we hit the hard
timer and see if we can distinguish that. Because we should delete the
SA if the hard timer was hit since the kernel already removed it in that
case.

Thanks for the work on this! I'll send a PR later today against your
branch.

Paul


More information about the Swan-dev mailing list