[Swan-dev] WIP: supporting xfrm SA expire
Antony Antony
antony at phenome.org
Tue Apr 6 15:50:17 UTC 2021
On Mon, Apr 05, 2021 at 01:22:39PM -0400, Paul Wouters wrote:
> On Mon, 5 Apr 2021, Antony Antony wrote:
>
> > Here is my sa expire branch rebased to main.
> >
> > #sa-expire
> > https://github.com/antonyantony/libreswan/tree/sa-expire
>
> Thanks! I had a look and I think it looks pretty good.
>
> > It need a bit more work to merge to main. I look the code again and fix
> > "FIXME". It also need more tests.
> >
> > If you feel like helping add more tests. This would help to get the
> > branch ready to merge sooner than later.
>
> I'm working on that now.
>
> I noticed you used salifebytes= and salifepackets=. I think it would be
> more intuitive to call these maxbytes= and maxpackets. Or limit-bytes=
> or bytelimit= and packet-limit= ?
given that we have "salifetime" for IPsec and "lifetime" from IKE
I feel life* would be better choce, so I choose salifebytes salifepackets.
> Similarly, where strongswan has inactivity= I think idletimeout= or
> idle-timeout= would be more clear? I wouldn't call in inactive because
> the tunnel is "active" (or "up") - there is just no traffic happening.
I have no idea about those:)
> I do understand why you added the "sa" prefix, because we in theory also
> have these options on the IKE SA (for FIPS compliance), but I think
I choose salifebytes because we already have "salifetime" I am not too
attached to it. However, your proposals are not more appealing at the
momet:) Lets see how this goes.
My next proposals are "rekey-bytes" and "rekey-packets". Those would align
with swanctl config. swanctl full name is
connections.<conn>.children.<child>.rekey_bytes
Do not compare to ancient strongswan pluto keywords.
> those maximums could just be hardcoded to a much lower count and might
> never need to be user configurable? Like wouldn't 1Gbyte of IKE
> traffic be a good time to re-auth or rekey-with-pfs ? In which case it
well with Post Quantuam and PCPU I can imagine conerns abou IKE rekey on the
horizon.
> might make sense to omit the "sa" prefix for the regular admin?
again, what about "salifetime" are you going change that.
> I'm glad to see you decided on configuring soft timeouts at a fixed (80%)
> rate of hard limits. I was also hoping to not have an option for this.
I did it because I am lazy to code! I am not proud of it. I hope that one
day we will support soft and hard limits. I clearly see benfits of the
flexibilty. Especially if we want to be more of reference implementation.
> I will look at adding some logging based on hitting soft and hard timer.
> Right now, one just sees a rekey but there is no message as to why.
> And I'll add an impair test that stalls and rekeying so we hit the hard
> timer and see if we can distinguish that. Because we should delete the
> SA if the hard timer was hit since the kernel already removed it in that
> case.
>
> Thanks for the work on this! I'll send a PR later today against your
> branch.
At the moment I am only looking for test case PR. That is my work flow at
the moment! I just noticed you send a PR with tests I will see what I can
pickup. Thanks.
-antony
More information about the Swan-dev
mailing list