[Swan-dev] ikev2: only count empty informational messages as liveness probes
Andrew Cagney
andrew.cagney at gmail.com
Fri May 21 14:26:10 UTC 2021
(luckily I occasionally read spam)
On Fri, 21 May 2021 at 08:54, Paul Wouters <paul.wouters at aiven.io> wrote:
>
> commit b6e986fb7181fe6288dbba3fb98832b53aee1415
> Author: Andrew Cagney <cagney at gnu.org>
> Date: Thu May 20 11:21:33 2021 -0400
>
> ikev2: only count empty informational messages as liveness probes
>
> was including informational messages with notify payloads
>
>
>
> This is not correct through. Any informational message can contain
> notify payloads. In theory they should all include NAT detection
> payloads in case a NAT appeared out of nowhere.
>
An INFORMATIONAL request with no payloads (other than the
empty Encrypted payload required by the syntax) is commonly used as a
check for liveness. These subsequent exchanges cannot be used until
the initial exchanges have completed.
So I think this:
/*
* Only count empty requests as liveness probes.
*/
if (md->chain[ISAKMP_NEXT_v2SK]->payload.v2gen.isag_np == ISAKMP_NEXT_NONE)
{
pstats_ike_dpd_replied++;
}
is correct.
However, to your point, we might as well count what type of payloads (D, N,
CP) were in the informational message?
> But also, every exchange message that proved it is a new sequence number
> counts as "liveness probe". So if a REKEY happens, the "liveness" should
> also be updated.
>
>
This is why I filed https://github.com/libreswan/libreswan/issues/446
I'll make the .st_last_liveness update unconditional, which is less wrong
than the original code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210521/5436bd72/attachment.html>
More information about the Swan-dev
mailing list