Menu
▾
▴
Re: [Ipsec-tools-devel] SA renewed indefinitely even if no traffic is flowing
|
From: Alexander G. <ga...@sw...> - 2005-12-12 17:42:59
|
On Mon, 12 Dec 2005 17:28:04 +0100, Francis Dupont <Fra...@en...> said:
> In your previous mail you wrote:
> Even though this looks like something very obvious to me, I couldn't
> find it mentioned in the list archive. I'm using ipsec-tools 0.6.3 on
> a Linux 2.6.13 kernel (the patch below is against 0.6.4 but this
> particular file hasn't changed).
> => according to racoon2 NEWS:
> 2005-08-31 FUKUMOTO Atsushi <ats...@to...>
> * iked/{ikev2_child.c,ike_conf.c,ike_pfkey.c}: Linux PF_KEY
> generates soft-expire regardless the SA was used or not.
Interesting. The PF_KEY API seems to require that an SADB_EXPIRE
message must be sent irrespective of whether the SA has been used or
not (RFC2367, section 3.1.8).
> => it seems you have the same problem so I suggest to copy the fix:
> 2005-09-02 KAMADA Ken'ichi <ka...@na...>
> * kinkd: The rekeying-forever problem on Linux was fixed by checking
> sadb_lifetime::sadb_lifetime_allocations on soft expire messages.
I think this is identical to my fix (usetime == 0 iff allocations ==
0). According to the citation above, it is correct to expect the
SADB_EXT_LIFETIME_CURRENT to always be present as well. Therefore, I
suggest that this patch should be considered for integration.
> Note that BSD* have the opposite problem: they don't send an EXPIRE
> message for hard-expire (so unused SAs are not rekeyed without a fix).
I suppose the fix is to have the kernel send expire messages for both
soft and hard limits, as per RFC 2367 :-)
It escapes me why anyone would like to replace SAs that have not been
used, though.
Thanks,
--
Alex
|