<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:997683704;
mso-list-type:hybrid;
mso-list-template-ids:1738689540 1074331665 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a query regarding the usage of “lifebytes” and “marginbytes” .<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Is the soft bytes expiry ( due to lifebytes, marginbytes) handled in the same manner as soft time expiry ( due to keylife,margintime).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>I read in another thread that a code segment is there in child_sa.c to prevent multiple rekey initiation due to soft time expiry. Does the same apply for soft bytes expiry ??<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Is there any difference in :- rekeying getting initiated due to soft bytes expiry for outbound SA and rekeying getting initiated due to soft bytes expiry for Inbound SA.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Iam using Strongswan 5.0.0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Iam facing an issue of continuous rekeying getting initiated due to continuous receiving of “XFRM_MSG_EXPIRE” from kernel during soft bytes expiry.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The issue , strangely, happens from 2<sup>nd</sup> rekeying onwards. During the first rekeying everything is fine.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">“ip –s xfrm state” output before and after rekeying due to soft bytes expiry is given below :-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">root# ip -s xfrm state<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 60.60.60.3 dst 70.70.70.2<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xc61f69dc(3323947484) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0xf24529a8d5eeb0f1b606c822d5d5b59ac2f66308 (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0xab62a2a829ab5ce1f0e7c06859898521 (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 89855(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 80272(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 73480(bytes), 867(packets)
</span><b>< ---- Before Expiry</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:21:19 use 2014-11-12 10:21:19<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 0<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 70.70.70.2 dst 60.60.60.3<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xc6a6a0ac(3332808876) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0x27684d5edc76ff2aa8483463a285ebf1bb9c9e3f (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0xaa69a832a5081b7a70e4f51ef28d4155 (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 85238(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 79325(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 85040(bytes), 877(packets)</span><b> < ---- Before Expiry</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:21:19 use 2014-11-12 10:21:19<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 0<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">root#<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">root# ip -s xfrm state<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 60.60.60.3 dst 70.70.70.2<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xc1964f0d(3247853325) reqid 1(0x00000001) mode tunnel</span><b>< ---- After Expiry-1 ( SPID has changed, rekey has happened)</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0xb04c092c437cd7ccc7a83ef185a3e819fe4474b8 (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0xcadf33240aaaa60fac6843192a07b8c4 (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 86349(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 82479(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 2880(bytes), 5(packets)</span><b> < ---- After Expiry-1</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:28:24 use 2014-11-12 10:28:24<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 0<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 70.70.70.2 dst 60.60.60.3<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xcd6a7881(3446306945) reqid 1(0x00000001) mode tunnel</span><b>< ---- After Expiry-1 ( SPID has changed, rekey has happened)</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0x056ad13248c1f20989f5f0ef3bfed7503b69ae26 (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0xdcffb61a4bbc7993e11ac3d8281d90ca (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 87884(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 81655(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 54428(bytes), 50(packets)
</span><b>< ---- After Expiry-1</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:28:24 use 2014-11-12 10:28:24<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 3<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">root#<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">root# ip -s xfrm state<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 60.60.60.3 dst 70.70.70.2<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xcf8b0939(3481995577) reqid 1(0x00000001) mode tunnel
</span><b>< ---- After Expiry-2 ( SPID has changed, rekey has happened again in 1-2 seconds)</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0xd3c489168a8c6d575a8bc595b5e52bd2356a2178 (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0xc682d48bd79e0dad1c1d405065563a55 (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 85919(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 82004(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 0(bytes), 0(packets)</span><b> < ---- After Expiry-2</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:28:26 use -<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 0<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">src 70.70.70.2 dst 60.60.60.3<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> proto esp spi 0xcda07a90(3449846416) reqid 1(0x00000001) mode tunnel</span><b>< ---- After Expiry-2 ( SPID has changed, rekey has happened again in 1-2 seconds)</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> auth-trunc hmac(sha1) 0x05478f2f33f603a2dd97bc2c96ec3471e6b1e3d2 (160 bits) 96<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> enc cbc(aes) 0x2fa1422441f1463ee8bf40e47eba8890 (128 bits)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime config:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft 86839(bytes), hard 102400(bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire add: soft 81297(sec), hard 86400(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> lifetime current:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> 39828(bytes), 42(packets)</span><b> < ---- After Expiry-2</b></i><i><span style="font-size:10.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> add 2014-11-12 10:28:26 use 2014-11-12 10:28:26<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> stats:<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> replay-window 0 replay 0 failed 5<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"><o:p> </o:p></span></i></p>
<p class="MsoNormal">“ip –s xfrm state” outputs for <b><i>After Expiry-1 </i></b>and<b><i> After Expiry-2</i></b> were captured in 1-2 second interval. How does the lifetime current bytes count reach such high values of 54428 and 39828 all of a sudden
<o:p></o:p></p>
<p class="MsoNormal">during rekeying. Rekeying is getting initiated due to such erroneous byte count after rekeying I think.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The issue is faced only during soft bytes expiry and not during soft time expiry.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please help if anyone has a clue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks and Regards,<o:p></o:p></p>
<p class="MsoNormal">Prasobh<o:p></o:p></p>
</div>
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should
not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
</body>
</html>