From: Alexander G. <ga...@sw...> - 2005-12-12 17:42:59
|
On Mon, 12 Dec 2005 17:28:04 +0100, Francis Dupont <Fra...@en...> said: > In your previous mail you wrote: > Even though this looks like something very obvious to me, I couldn't > find it mentioned in the list archive. I'm using ipsec-tools 0.6.3 on > a Linux 2.6.13 kernel (the patch below is against 0.6.4 but this > particular file hasn't changed). > => according to racoon2 NEWS: > 2005-08-31 FUKUMOTO Atsushi <ats...@to...> > * iked/{ikev2_child.c,ike_conf.c,ike_pfkey.c}: Linux PF_KEY > generates soft-expire regardless the SA was used or not. Interesting. The PF_KEY API seems to require that an SADB_EXPIRE message must be sent irrespective of whether the SA has been used or not (RFC2367, section 3.1.8). > => it seems you have the same problem so I suggest to copy the fix: > 2005-09-02 KAMADA Ken'ichi <ka...@na...> > * kinkd: The rekeying-forever problem on Linux was fixed by checking > sadb_lifetime::sadb_lifetime_allocations on soft expire messages. I think this is identical to my fix (usetime == 0 iff allocations == 0). According to the citation above, it is correct to expect the SADB_EXT_LIFETIME_CURRENT to always be present as well. Therefore, I suggest that this patch should be considered for integration. > Note that BSD* have the opposite problem: they don't send an EXPIRE > message for hard-expire (so unused SAs are not rekeyed without a fix). I suppose the fix is to have the kernel send expire messages for both soft and hard limits, as per RFC 2367 :-) It escapes me why anyone would like to replace SAs that have not been used, though. Thanks, -- Alex |