[strongSwan-dev] Packets loss during rekey

Thomas Egerer hakke_007 at gmx.de
Wed Jan 27 22:27:56 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On January 27, 2016 2:45:48 PM GMT+01:00, Avinoam Meir <avinoam at google.com> wrote:
>Hello StrongSwan devs,
>
>I have question/proposal about CHILD SAs rekey:
>If I understand correctly, today in rekey task, after creating the  new
>CHILD SA,  immediately delete task is created and executed. (see here
><https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/tasks/child_rekey.c#L379>
>).
>
>This can cause packets loss If the peer gateway sends ESP packets in
>parallel to the rekey, so there are some old ESP packet on the network.
>
>Maybe StrongSwan can defer the call to kerne_interface->del_sa() for
>the
>inbound CHILD SA (only), so the kernel continue to process esp packets
>for
>the old  SAs for a while, and prevent the packet loss.
>
>What do you think?
The code you are referring to is part of the is located in the process_i function of the child rekey code. At this point the peer should already use the rekeyed SA. So your scenario seems quite far fetched and delaying the delete job unnecessary.
Did you experience packet loss during rekeying?
>
Thomas
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Dev mailing list
>Dev at lists.strongswan.org
>https://lists.strongswan.org/mailman/listinfo/dev


- --
Sent from a mobile device. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI+BAEBCgAoBQJWqTZcIRxUaG9tYXMgRWdlcmVyIDxoYWtrZV8wMDdAZ214LmRl
PgAKCRBit9TjYqwUxm1pEAClXsPEs0akGK8LzorsY/NX8qO/9PTkwwT6O/u8xvBa
12i57TIyDBcHFFeqizXN891qHsqC/XKwBtTrSG9+cqAcWwuPf7JLVCkPHYdHNYRz
HsddVT4eV9uYLwICe2unAqXymAZ/gmhpEoB9coTTsFD8ZMEzj3kVAWEkuVyFvE+u
2ghouXqzZagsMJFXyblhXFTZ4Hxf+YGphW1Vf2nXfOQhsiTV8QbXZjWo0vS+DYsD
Hezaia1St2OSVqXlO4N3zcaifIjYQJh0bCeqmJj956ay12CJzVtGpkJjLXX+r4vb
9cfqKytQXPTryj9jFaNicdtI5wwI1gDWQxKGX/kmRiXkqQBuWhlb4wwgG0LuMG3v
FBbDW9Li3RhEqS8F0mBIpJNBfbfRJ0C6XUB0+UivLd3CmYy7eq38w9jbrU1pdLet
dVsP0CyjHo4pYW+b7YGsb7vSKr8bJsuTgqppai6uOm9WmworMynB7tRwkk/jfyNJ
jbjduH8jUrIHKJnpJVHFGMQKvX4k2m/S9h+kK4xk2qaLiH9DMezwId/Wrf+j74on
OQeWF7K+AVjriqTd2YjyVD23xowmMdtIQEdDvEAik5d3nC+9pZExDOkJ2KDCKQq1
0IZPuy73u5DmFPJNHUmqhQ1vGz7Pb3B9Aawc/Bc+vA7Ot9Sgrllm+t4F+8o8iDuZ
PQ==
=k/gl
-----END PGP SIGNATURE-----



More information about the Dev mailing list