[strongSwan-dev] reqid handling

Martin Willi martin at strongswan.org
Thu Oct 23 12:04:49 CEST 2014


> Technically, in kernel the reqid is specified in SPD, and used to
> filter which SA is selected. This means that it's perfectly ok
> for multiple SPDs to have same reqid and share SAs. It is also not
> reverse mappable as multiple SAs can have same reqid but there can be
> still unique or non-unique mapping back to SPDs which may use the SA.

FYI, I'm working on a solution to solve these issues, namely:

      * Introduce a unique_id option on the CHILD_SA, which is truly
        unique, similar to the IKE_SA unique identifier. This new id is
        used mostly by the administrator to select CHILD_SAs uniquely
        (to control them).
      * Replace the current lookups by reqid by something more unique.
        As the kernel should not know too much about that unique_id, we
        will use the SPI/protocol/dst selector where appropriate. For
        non-kernel triggered jobs we also can consider using the new
      * Add a central, fast lookup facility to find IKE_SAs by
        SPI/protocol/dst and by the new unique_id. I'll most likely
        introduce a new global mapping database for that, as
        ike_sa_manager is probably complex enough.
      * The existing reqid will be mostly used internally by the
        kernel-interface only, to map policies to SAs.

There is no code to share just yet, but I'll keep you updated.


More information about the Dev mailing list