<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 28 Sep 2020 at 15:11, Antony Antony <<a href="mailto:antony@phenome.org">antony@phenome.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Sep 28, 2020 at 12:44:03PM -0400, Andrew Cagney wrote:<br>
> I'm planning on removing the sanitizer ipsec-auto-up.n.sed. It removes what I<br>
> consider to be important contextual information from console.txt. For<br>
> instance, consider this output:<br>
<br>
I think it is a usefull swanitizer. May be tweak need more tweaking, also it <br>
can be skiped easly; see bellow.<br></blockquote></div><div class="gmail_quote"><br></div><div class="gmail_quote">It's a bandaid hiding non-deterministic behaviour.<br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Either the re-transmit is relevant, and it should be retained, but made more robust; or the retransmit is not relevant and can be suppressed. This sanitizer does neither. It removes half the exchange obfuscating the output. For instance, when nss-cert-crl-03-strict fails it produces this diff:</div><div class="gmail_quote"><br></div><div class="gmail_quote"><a href="https://testing.libreswan.org/v3.30-1834-g8b42ce739b-main/nss-cert-crl-03-strict/OUTPUT/west.console.diff">https://testing.libreswan.org/v3.30-1834-g8b42ce739b-main/nss-cert-crl-03-strict/OUTPUT/west.console.diff</a></div><div class="gmail_quote"><pre>--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -41,8 +41,6 @@
1v1 "nss-cert-crl" #1: sent Main Mode I3
003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION
-003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
-003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION
002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>, E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>'
002 "nss-cert-crl" #1: certificate verified OK: E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
003 "nss-cert-crl" #1: authenticated using RSA with SHA-1
<br></pre></div><div class="gmail_quote"><div>so per my point:<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> --- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>
> +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>
> @@ -41,8 +41,10 @@<br>
> 1v1 "nss-cert-crl" #1: sent Main Mode I3<br>
> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION,<br>
> msgid=00000000, length=12<br>
> 003 "nss-cert-crl" #1: received and ignored notification payload:<br>
> INVALID_ID_INFORMATION<br>
> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION,<br>
> msgid=00000000, length=12<br>
> 003 "nss-cert-crl" #1: received and ignored notification payload:<br>
> INVALID_ID_INFORMATION<br>
> 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=<br>
> Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>, E=<br>
> <a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>'<br>
> 002 "nss-cert-crl" #1: certificate verified OK: E=<br>
> <a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>,OU=Test<br>
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA<br>
> 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1<br>
> <br>
> the duplicate "ignoring informational payload" seems to be from the other end<br>
> spontaneously sending duplicates (this is IKEv1 after all), and things take<br>
> time to establish because the other end was slow. However, once retransmits<br>
> are visible:<br>
> <br>
> --- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>
> +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>
> @@ -41,8 +41,10 @@<br>
> 1v1 "nss-cert-crl" #1: sent Main Mode I3<br>
> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION,<br>
> msgid=00000000, length=12<br>
> 003 "nss-cert-crl" #1: received and ignored notification payload:<br>
> INVALID_ID_INFORMATION<br>
> +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds<br>
> for response<br>
> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION,<br>
> msgid=00000000, length=12<br>
> 003 "nss-cert-crl" #1: received and ignored notification payload:<br>
> INVALID_ID_INFORMATION<br>
> +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for<br>
> response<br>
> 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=<br>
> Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>, E=<br>
> <a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>'<br>
> 002 "nss-cert-crl" #1: certificate verified OK: E=<br>
> <a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>,OU=Test<br>
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA<br>
> 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1<br>
> <br>
> it looks more likely that the re-transmit triggered forward progress. <br>
> Similarly, but in contrast:<br>
<br>
I guess you are saying in this test retransmits is expected.<br>
Change the "up" line to something like the following<br>
<br>
ipsec auto --up nss-cert-crl #retransmits<br>
<br></blockquote><div><br></div><div>And it does not help. The test is still non-deterministic - it will pass/fail dependent on timing.<br></div><div><br></div><div>While you can certainly selectively use this sanitizer for specific cases, please don't apply it across all tests. The last thing needed is for critical output - notably that a retransmit occured - to magically disappear.<br></div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
and the sanitizer would leave the output alone.<br>
<br>
> --- MASTER/testing/pluto/ikev2-keyingtries-01/west.console.txt<br>
> +++ OUTPUT/testing/pluto/ikev2-keyingtries-01/west.console.txt<br>
<br>
as far as I see this test also need #retransmits after the up.<br>
So these two test cases could be fixed! <br>
<br>
PS: previous discussion: <br>
<a href="https://lists.libreswan.org/pipermail/swan-dev/2020-February/003664.html" rel="noreferrer" target="_blank">https://lists.libreswan.org/pipermail/swan-dev/2020-February/003664.html</a><br>
</blockquote></div></div>