[strongSwan-dev] Packets loss during rekey
Avinoam Meir
avinoam at google.com
Thu Jan 28 10:12:35 CET 2016
Thank you for the answer.
1. Yes, we experience packet loss during rekey.
2. What prevents the peer from using the old CHILD SA? also in flight
packets can be encapsulated with the old CHILD SA and reach the VPN after
it was deleted.
On Wed, Jan 27, 2016 at 11:28 PM Thomas Egerer <hakke_007 at gmx.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On January 27, 2016 2:45:48 PM GMT+01:00, Avinoam Meir <avinoam at google.com>
> wrote:
> >Hello StrongSwan devs,
> >
> >I have question/proposal about CHILD SAs rekey:
> >If I understand correctly, today in rekey task, after creating the new
> >CHILD SA, immediately delete task is created and executed. (see here
> ><
> https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/tasks/child_rekey.c#L379
> >
> >).
> >
> >This can cause packets loss If the peer gateway sends ESP packets in
> >parallel to the rekey, so there are some old ESP packet on the network.
> >
> >Maybe StrongSwan can defer the call to kerne_interface->del_sa() for
> >the
> >inbound CHILD SA (only), so the kernel continue to process esp packets
> >for
> >the old SAs for a while, and prevent the packet loss.
> >
> >What do you think?
> The code you are referring to is part of the is located in the process_i
> function of the child rekey code. At this point the peer should already use
> the rekeyed SA. So your scenario seems quite far fetched and delaying the
> delete job unnecessary.
> Did you experience packet loss during rekeying?
> >
> Thomas
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Dev mailing list
> >Dev at lists.strongswan.org
> >https://lists.strongswan.org/mailman/listinfo/dev
>
>
> - --
> Sent from a mobile device. Please excuse my brevity.
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
>
> iQI+BAEBCgAoBQJWqTZcIRxUaG9tYXMgRWdlcmVyIDxoYWtrZV8wMDdAZ214LmRl
> PgAKCRBit9TjYqwUxm1pEAClXsPEs0akGK8LzorsY/NX8qO/9PTkwwT6O/u8xvBa
> 12i57TIyDBcHFFeqizXN891qHsqC/XKwBtTrSG9+cqAcWwuPf7JLVCkPHYdHNYRz
> HsddVT4eV9uYLwICe2unAqXymAZ/gmhpEoB9coTTsFD8ZMEzj3kVAWEkuVyFvE+u
> 2ghouXqzZagsMJFXyblhXFTZ4Hxf+YGphW1Vf2nXfOQhsiTV8QbXZjWo0vS+DYsD
> Hezaia1St2OSVqXlO4N3zcaifIjYQJh0bCeqmJj956ay12CJzVtGpkJjLXX+r4vb
> 9cfqKytQXPTryj9jFaNicdtI5wwI1gDWQxKGX/kmRiXkqQBuWhlb4wwgG0LuMG3v
> FBbDW9Li3RhEqS8F0mBIpJNBfbfRJ0C6XUB0+UivLd3CmYy7eq38w9jbrU1pdLet
> dVsP0CyjHo4pYW+b7YGsb7vSKr8bJsuTgqppai6uOm9WmworMynB7tRwkk/jfyNJ
> jbjduH8jUrIHKJnpJVHFGMQKvX4k2m/S9h+kK4xk2qaLiH9DMezwId/Wrf+j74on
> OQeWF7K+AVjriqTd2YjyVD23xowmMdtIQEdDvEAik5d3nC+9pZExDOkJ2KDCKQq1
> 0IZPuy73u5DmFPJNHUmqhQ1vGz7Pb3B9Aawc/Bc+vA7Ot9Sgrllm+t4F+8o8iDuZ
> PQ==
> =k/gl
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160128/d26e0a68/attachment.html>
More information about the Dev
mailing list