<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div>My test results and strongswan code browse for a use case have led to below understanding.</div>
<div> </div>
<div> </div>
<div>Use Case :</div>
<div> </div>
<div>Client requests for a virtual IP from server. </div>
<div>Server assigns a virtual IP to it.</div>
<div>Client get rebooted without informing Server – i.e. Server still maintains the old lease, DPD kicks in for this lease at server.</div>
<div>Client comes up (before DPD at server for old lease has expired) and asks for another virtual IP.</div>
<div>Server assigns a new virtual IP. </div>
<div> </div>
<div>Observations :</div>
<div> </div>
<ol style="margin:0;padding-left:36pt;">
<li>The old lease becomes unusable. Server is not able to assign the old Iease to any new connection.</li></ol>
<div style="padding-left:36pt;"> </div>
<ol start="2" style="margin:0;padding-left:36pt;">
<li>After the DPD expires for old lease at server, the client identity (even with new lease) is marked as ‘offline’. </li></ol>
<div> </div>
<div> </div>
<div>Understanding from Code Browse :</div>
<div> </div>
<ol style="margin:0;padding-left:36pt;">
<li>At client request, a ‘put’ is performed on ‘online’ hashtable. This ‘put’ function creates an entry in the hashtable if entry for ‘key’(client identity) does not exist, but if the ‘key’ exists, replaces the current value(old lease) with new one(new lease).</li></ol>
<div> </div>
<div> What will be the destiny of old lease in a case where the old lease has not been even moved to ‘offline’ hashtable?</div>
<div> </div>
<div> Entries that go to ‘offline’ hashtable(say, when DPD expires) alone are the ones that get reused in case of pool exhaustion.</div>
<div> </div>
<div> So, in case a client requests for a second virtual IP, even before the old virtual IP has been moved to ‘offline’ hashtable, the old lease gets replaced in ‘online’ hashtable and becomes unusable by Server. </div>
<div> </div>
<div> </div>
<ol start="2" style="margin:0;padding-left:36pt;">
<li>After DPD for old lease expires at Server, Server marks the client identity (with new lease) as ‘offline’ because the code just checks the identity and not the assigned leases. This is problematic because, policies and SAs with the new lease still exist
in kernel.</li></ol>
<div> </div>
<div> </div>
<div>Can someone comment if above 2 are ‘bugs’ in strongswan?</div>
<div> </div>
<div> </div>
<div>Thanks</div>
<div>Sumit</div>
<div> </div>
<div> </div>
</span></font>
</body>
</html>