[Swan-dev] IKEv2 IKE_AUTH responder no longer does an ike->child shuffle
Andrew Cagney
andrew.cagney at gmail.com
Tue May 18 14:11:10 UTC 2021
Heads up. The way the IKEv2 responder behaves (at least for IKE_AUTH) has
changed:
ikev2: in IKE_AUTH responder, handle child sa as a nested state
transition
i.e., in IKE_AUTH responder, don't switch to the child part way through
the transition
- add v2_child_sa_established() to perform transition
- change the existing half IKE / half CHILD state transition to
strictly IKE
- drop code pexpecting next state to be a child
Since there's no IKE->CHILD switch it is, in theory, possible to create a
childless IKE SA.
Realty will beg to differ. Anyone looking at the code will see that the
IKE and CHILD code paths are still not well separated. I'm planning on
looking at that once I've an initiator capable of sending childess IKE_AUTH
requests.
Before/after test results are:
https://testing.libreswan.org/?run=v4.4-198-g09b9822207-main&run=v4.4-191-g90cbaef4ac-main
and there seems to be a few regressioins:
- looks like I drop an audit record
- informational exchanges aren't quite right
I was going to look at those once the initiator is updated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210518/228040a9/attachment.html>
More information about the Swan-dev
mailing list