<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 29 Mar 2021 at 10:29, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> ---------- Forwarded message ----------<br>
> Date: Mon, 29 Mar 2021 10:20:03<br>
> From: Andrew Cagney <<a href="mailto:cagney@vault.libreswan.fi" target="_blank">cagney@vault.libreswan.fi</a>><br>
> To: <a href="mailto:swan-commit@lists.libreswan.org" target="_blank">swan-commit@lists.libreswan.org</a><br>
> Subject: [Swan-commit] Changes to ref refs/heads/main<br>
> <br>
> New commits:<br>
> commit 63b3386362df35844c7a6454e62d811c74264425<br>
> Author: Andrew Cagney <<a href="mailto:cagney@gnu.org" target="_blank">cagney@gnu.org</a>><br>
> Date: Mon Mar 29 10:18:13 2021 -0400<br>
><br>
> testing: sprinkle ping-once and wait-for<br>
><br>
> left wondering if the timeout to magically delete shunts should<br>
> be set to something huge so that they don't come and go in<br>
> test results<br>
<br>
It's best to leave this alone for now. We are getting kernel code soon<br>
that will should make OE shunts disappear soon. That is, when installing<br>
a /24 %trap, and installing a /32 IPsec SA, this leftover right now<br>
should soon (after pCPU code hits upstream) be avoidable by setting an<br>
additional flag to the XFRM message.<br>
<br></blockquote><div><br></div><div>Ya.</div><div><br></div><div>I suspect, because I'm removing artificial delays in the tests, the chances of us seeing a larval state in the output has increased vis:<br></div></div><div class="gmail_quote"><br></div><div class="gmail_quote">@@ -71,6 +71,10 @@<br> replay-window 32 flag af-unspec<br> aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>+src 192.1.3.33 dst 192.1.2.23<br>+ proto esp spi 0xSPISPI reqid REQID mode transport<br>+ replay-window 0 <br>+ sel src <a href="http://192.1.3.33/32">192.1.3.33/32</a> dst <a href="http://192.1.2.23/32">192.1.2.23/32</a> proto icmp type 8 code 0 dev eth1 <br></div><div class="gmail_quote"><br></div><div class="gmail_quote">And this brings me to a second, somewhat related, issue:<br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Larval states, which always have <<spi 0x00000000>> should not have their SPI sanitized. It is just confusing. I'd assume it is done because no one thought otherwise. Instead they should be left alone vis:</div><div class="gmail_quote"><br></div><div class="gmail_quote"> src 192.1.3.209 dst 192.1.2.23<br>- proto esp spi 0xSPISPI reqid REQID mode transport<br>+ proto esp spi 0x00000000 reqid REQID mode transport<br> replay-window 0 <br> sel src <a href="http://192.1.3.209/32">192.1.3.209/32</a> dst <a href="http://192.1.2.23/32">192.1.2.23/32</a> proto icmp type 8 code 0 dev eth0 <br></div><div class="gmail_quote"><br></div><div class="gmail_quote">or even, to make what the state is more obvious:<br></div><div class="gmail_quote"><br></div><div class="gmail_quote"> src 192.1.3.209 dst 192.1.2.23<br>- proto esp spi 0xSPISPI reqid REQID mode transport<br>+ proto esp spi 0xLARVAL reqid REQID mode transport<br> replay-window 0 <br> sel src <a href="http://192.1.3.209/32">192.1.3.209/32</a> dst <a href="http://192.1.2.23/32">192.1.2.23/32</a> proto icmp type 8 code 0 dev eth0</div><div class="gmail_quote"><br></div><br><div class="gmail_quote"><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
For regular on-demand tunnels, since we replace the %trap fully, there<br>
should not be a leftover larval state.<br>
<br>
Paul<br>
_______________________________________________<br>
Swan-dev mailing list<br>
<a href="mailto:Swan-dev@lists.libreswan.org" target="_blank">Swan-dev@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan-dev" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan-dev</a><br>
</blockquote></div></div>