[Swan-dev] shunt time outs - leave as is

Andrew Cagney andrew.cagney at gmail.com
Mon Mar 29 15:14:52 UTC 2021 

On Mon, 29 Mar 2021 at 10:29, Paul Wouters <paul at nohats.ca> wrote:

> > ---------- Forwarded message ----------
> > Date: Mon, 29 Mar 2021 10:20:03
> > From: Andrew Cagney <cagney at vault.libreswan.fi>
> > To: swan-commit at lists.libreswan.org
> > Subject: [Swan-commit] Changes to ref refs/heads/main
> >
> > New commits:
> > commit 63b3386362df35844c7a6454e62d811c74264425
> > Author: Andrew Cagney <cagney at gnu.org>
> > Date:   Mon Mar 29 10:18:13 2021 -0400
> >
> >     testing: sprinkle ping-once and wait-for
> >
> >     left wondering if the timeout to magically delete shunts should
> >     be set to something huge so that they don't come and go in
> >     test results
>
> It's best to leave this alone for now. We are getting kernel code soon
> that will should make OE shunts disappear soon. That is, when installing
> a /24 %trap, and installing a /32 IPsec SA, this leftover right now
> should soon (after pCPU code hits upstream) be avoidable by setting an
> additional flag to the XFRM message.
>
>
Ya.

I suspect, because I'm removing artificial delays in the tests, the chances
of us seeing a larval state in the output has increased vis:

@@ -71,6 +71,10 @@
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
+src 192.1.3.33 dst 192.1.2.23
+       proto esp spi 0xSPISPI reqid REQID mode transport
+       replay-window 0
+       sel src 192.1.3.33/32 dst 192.1.2.23/32 proto icmp type 8 code 0
dev eth1

And this brings me to a second, somewhat related, issue:

Larval states, which always have <<spi 0x00000000>> should not have their
SPI sanitized.  It is just confusing.  I'd assume it is done because no one
thought otherwise.  Instead they should be left alone vis:

 src 192.1.3.209 dst 192.1.2.23
-       proto esp spi 0xSPISPI reqid REQID mode transport
+       proto esp spi 0x00000000 reqid REQID mode transport
        replay-window 0
        sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0
dev eth0

or even, to make what the state is more obvious:

 src 192.1.3.209 dst 192.1.2.23
-       proto esp spi 0xSPISPI reqid REQID mode transport
+       proto esp spi 0xLARVAL reqid REQID mode transport
        replay-window 0
        sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0
dev eth0



For regular on-demand tunnels, since we replace the %trap fully, there
> should not be a leftover larval state.
>
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210329/b7aad2c8/attachment.html>

More information about the Swan-dev mailing list