[strongSwan-dev] reqid handling

Emeric POUPON emeric.poupon at stormshield.eu
Tue Feb 17 10:27:38 CET 2015 

Hello,

Since I'm currently working on very specific kernel patches, I am very interested by a fast lookup of CHILD_SA using SPI/protocol/dst selector.
I guess the work you described below is suitable for that need. Did you manage to implement something?

Best Regards,

Emeric

----- Mail original -----
De: "Timo Teras" <timo.teras at iki.fi>
À: "Martin Willi" <martin at strongswan.org>
Cc: dev at lists.strongswan.org
Envoyé: Mercredi 29 Octobre 2014 13:58:47
Objet: Re: [strongSwan-dev] reqid handling

Hi Martin,

On Thu, 23 Oct 2014 12:04:49 +0200
Martin Willi <martin at strongswan.org> wrote:

> > Technically, in kernel the reqid is specified in SPD, and used to
> > filter which SA is selected. This means that it's perfectly ok
> > for multiple SPDs to have same reqid and share SAs. It is also not
> > reverse mappable as multiple SAs can have same reqid but there can
> > be still unique or non-unique mapping back to SPDs which may use
> > the SA.
> 
> FYI, I'm working on a solution to solve these issues, namely:
> 
>       * Introduce a unique_id option on the CHILD_SA, which is truly
>         unique, similar to the IKE_SA unique identifier. This new id
> is used mostly by the administrator to select CHILD_SAs uniquely
>         (to control them).
>       * Replace the current lookups by reqid by something more unique.
>         As the kernel should not know too much about that unique_id,
> we will use the SPI/protocol/dst selector where appropriate. For
>         non-kernel triggered jobs we also can consider using the new
>         unique_id.
>       * Add a central, fast lookup facility to find IKE_SAs by
>         SPI/protocol/dst and by the new unique_id. I'll most likely
>         introduce a new global mapping database for that, as
>         ike_sa_manager is probably complex enough.
>       * The existing reqid will be mostly used internally by the
>         kernel-interface only, to map policies to SAs.
> 
> There is no code to share just yet, but I'll keep you updated.

Thanks for the heads up, and your work on this!

Let me know when there's something to show. I'm happy to look at it,
and give it a test spin.

Thanks,
Timo
_______________________________________________
Dev mailing list
Dev at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev

More information about the Dev mailing list