[strongSwan-dev] reqid handling

Timo Teras timo.teras at iki.fi
Wed Oct 29 13:58:47 CET 2014


Hi Martin,

On Thu, 23 Oct 2014 12:04:49 +0200
Martin Willi <martin at strongswan.org> wrote:

> > Technically, in kernel the reqid is specified in SPD, and used to
> > filter which SA is selected. This means that it's perfectly ok
> > for multiple SPDs to have same reqid and share SAs. It is also not
> > reverse mappable as multiple SAs can have same reqid but there can
> > be still unique or non-unique mapping back to SPDs which may use
> > the SA.
> 
> FYI, I'm working on a solution to solve these issues, namely:
> 
>       * Introduce a unique_id option on the CHILD_SA, which is truly
>         unique, similar to the IKE_SA unique identifier. This new id
> is used mostly by the administrator to select CHILD_SAs uniquely
>         (to control them).
>       * Replace the current lookups by reqid by something more unique.
>         As the kernel should not know too much about that unique_id,
> we will use the SPI/protocol/dst selector where appropriate. For
>         non-kernel triggered jobs we also can consider using the new
>         unique_id.
>       * Add a central, fast lookup facility to find IKE_SAs by
>         SPI/protocol/dst and by the new unique_id. I'll most likely
>         introduce a new global mapping database for that, as
>         ike_sa_manager is probably complex enough.
>       * The existing reqid will be mostly used internally by the
>         kernel-interface only, to map policies to SAs.
> 
> There is no code to share just yet, but I'll keep you updated.

Thanks for the heads up, and your work on this!

Let me know when there's something to show. I'm happy to look at it,
and give it a test spin.

Thanks,
Timo


More information about the Dev mailing list