[strongSwan-dev] [PATCH 1/2] Fix packet drop due to race condition on initiator

Christophe Gouault christophe.gouault at 6wind.com
Fri Jul 11 15:30:40 CEST 2014

Hi Martin,

2014-07-11 12:35 GMT+02:00 Martin Willi <martin at strongswan.org>:
> Christophe,
>> Insert new ike_sas in the sa table as soon as they are created in
>> checkout_new.
> Thanks for your patch.
> Unfortunately, it is not unproblematic. The problem is that
> checkout_new() is called from threads holding another IKE_SA, for
> example during rekeying. This results in the situation that a thread
> holds two IKE_SAs, which breaks the golden rule to avoid deadlocks.

I see, this is evil ;-)

> If I remember correctly, some years ago we explicitly changed the
> behavior to register the IKE_SA not before check-in to exactly avoid
> dead-locks resulting from this behavior.
> I don't know if there is a better fix for this issue, but I don't think
> there really is one needed. Under high load, packet drops can occur.
> This are not ideal, but it will happen anyway. Retransmission should
> take care that the SA comes up nonetheless.

Admittedly, however I'm a little concerned that this packet drop is
due to a problem of scheduling, not of capacity. The retransmission is
a little waste.

I'll cogitate to see if I can find another solution that does not
entail potential deadlocks.

Best Regards,

> Regards
> Martin

More information about the Dev mailing list