[strongSwan-dev] Race condition in IKEv2 IKE_SA_INIT message exchange
Christophe Gouault
christophe.gouault at 6wind.com
Mon Apr 7 16:45:02 CEST 2014
Hi strongSwan developers,
I am currently running performance tests with the load-tester plugin on
and experienced a few race conditions during the IKE_SA_INIT message
exchange:
On the load-tester (initiator) side, the ikeInInvalidSpi counter
evaluates to 2 or 3 (out of 200K negotiations).
After deeper investigation, it happens that from time to time, the
initiator receives an IKE_SA_INIT reply before it has checked in the
newly created IKE_SA. ike_sa_manager.checkout_by_message() can therefore
not find the IKE_SA. The message is dropped and the responder must later
retransmit its IKE_SA_INIT reply.
Shouldn't the new IKE_SA be checked in before the IKE_SA_INIT request is
actually sent?
Best regards,
Christophe
More information about the Dev
mailing list