[Swan-dev] Ipcomp and get_sa_info()

Andrew Cagney andrew.cagney at gmail.com
Fri Mar 25 23:36:48 EET 2022 

On Fri, 25 Mar 2022 at 16:44, Paul Wouters <paul at nohats.ca> wrote:
>
> Are we sure the code was not wrong ?
>
> Some tests with ipcomp used ping which didn’t compress enough and would actually go out over the non-ipcomp transform.

Hence tests sending really large pings.

> I believe our code was wrong but I also think we might need to pull traffic from the regular and ipcomp state.

Yes.

For instance, here's an outgoing ping packet growing in size (oops):

192.1.2.45 192.1.2.23
       ipcomp mode=tunnel
        C: deflate
      current: 104(bytes)     hard: 0(bytes)  soft: 0(bytes)
192.1.2.45 192.1.2.23
       esp mode=transport
    E: aes-cbc  6612ad1b 76716a96 01dae8ff 7745402c
      current: 152(bytes)     hard: 0(bytes)  soft: 0(bytes)

while the incoming response skips deflate:

192.1.2.23 192.1.2.45
     esp mode=tunnel
      E: aes-cbc
      current: 104(bytes)     hard: 0(bytes)  soft: 0(bytes)
192.1.2.23 192.1.2.45
       ipcomp mode=tunnel
        C: deflate
      current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)


> Paul
>
> Begin forwarded message:
>
> From: "D. Hugh Redelmeier" <hugh at vault.libreswan.fi>
> Date: March 25, 2022 at 21:30:54 GMT+1
> To: swan-commit at lists.libreswan.org
> Subject: [Swan-commit] Changes to ref refs/heads/main
> Reply-To: swan-dev at lists.libreswan.org
>
> New commits:
> commit 1062a663482b9b3841f0a48e5c99b4dd70757793
> Author: D. Hugh Redelmeier <hugh at mimosa.com>
> Date:   Fri Mar 25 16:15:15 2022 -0400
>
>    pluto: tidy things around ipsec_proto_info.present and get_sa_info()
>
>    - get_sa_info does nothing for IPCOMP so don't call it for such SAs
>
>    - get rid of a few confusing redundant parentheses
>
>    - remove redundant test terms from get_sa_info
>
>    - show_established_child_details: display flow counts for each kind of
>      SA in the same order.
>
>    - show_established_child_details: don't try to display flow counts for
>      IPCOMP from get_sa_info since it never gives any
>
> _______________________________________________
> Swan-commit mailing list
> Swan-commit at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-commit
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list