[strongSwan-dev] Stroke message limit and big traffic selectors

Emeric POUPON emeric.poupon at stormshield.eu
Tue Dec 9 14:23:42 CET 2014


I have a question about the stroke message (stroke_msg_t) and traffics selectors

I tried to set up a connection involving a lot of comma separated IPv6 traffic selectors.
The connection is properly parsed by starter, but the stroke_msg_t is too small to contain both leftsubnet and rightsubnet tokens (STROKE_BUF_LEN is too small: 2048)

If the token is not set, its value silently fallbacks to the '::/0' selector, which is definately not what I want!
If both tokens are not set, it's even worse since I end up with a '::/0' === '::/0' policy.

I think it would be safer to set the STROKE_BUF_LEN to a bigger value and to allocate the stroke_msg_t on the heap in starterstroke.c
What do you think?

I have another question: is there a limit of traffic selectors that can be presented by a peer? The RFC says the number of selectors is encoded on a byte, but I don't really know if 255 traffic selectors in a proposal makes much sense?

Best Regards,


More information about the Dev mailing list