[strongSwan-dev] Packets loss during rekey

Thomas Egerer hakke_007 at gmx.de
Thu Jan 28 20:40:08 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/28/2016 10:12 AM, Avinoam Meir wrote:
> Thank you for the answer.
> 
>    1.  Yes, we experience packet loss during rekey.
>    2. What  prevents the peer from using the old CHILD SA? also in flight
>    packets can be encapsulated with the old CHILD SA and  reach the VPN after
>    it was deleted.
It's the way the code is written. I of course assumed, your peer system run
strongswan. There's a slim chance in flight packets using the old SA arrive
after the initiator of the rekeying has established the SA. My guess is, the
packets are sent by the responder using the *new* SA while the initiator
has not yet installed the new one.

Thomas
> 
> 
> On Wed, Jan 27, 2016 at 11:28 PM Thomas Egerer <hakke_007 at gmx.de> wrote:
> 
> On January 27, 2016 2:45:48 PM GMT+01:00, Avinoam Meir <avinoam at google.com>
> wrote:
>>>> Hello StrongSwan devs,
>>>>
>>>> I have question/proposal about CHILD SAs rekey:
>>>> If I understand correctly, today in rekey task, after creating the  new
>>>> CHILD SA,  immediately delete task is created and executed. (see here
>>>> <
> https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/tasks/child_rekey.c#L379
>>>>
>>>> ).
>>>>
>>>> This can cause packets loss If the peer gateway sends ESP packets in
>>>> parallel to the rekey, so there are some old ESP packet on the network.
>>>>
>>>> Maybe StrongSwan can defer the call to kerne_interface->del_sa() for
>>>> the
>>>> inbound CHILD SA (only), so the kernel continue to process esp packets
>>>> for
>>>> the old  SAs for a while, and prevent the packet loss.
>>>>
>>>> What do you think?
> The code you are referring to is part of the is located in the process_i
> function of the child rekey code. At this point the peer should already use
> the rekeyed SA. So your scenario seems quite far fetched and delaying the
> delete job unnecessary.
> Did you experience packet loss during rekeying?
>>>>
> Thomas
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/dev
> 
> 
>>
>>
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWqm6TAAoJEGK31ONirBTGboAP/RyripAzcpIxDFWNbrkjOF1T
kA9K0NQlVcvm6MCCRJ2Q2ubwIAdZRLVBY/45qQzj0uvTcQ6xmRMJMRrwJ9a0MZ7x
/7S0+UcNn6CA7kYyiHK5zCEJ/EdeysqIs8yrBEfcwqpk6GCwDmtahYTUKWleXnJ5
ogkzhXUHfukOHCG5Bf03zdGriesbaVfbCC/ajDXOaVEtw4SXLi8JxplzZlAh+f6D
Tc/borgPJbi0DGGbEqHFDhmAiEGeUbwCXoB4lIFqMpRVUb+TOP0aXwYqifWXZlOO
fpIYnftHvioAVF5SoWlXjvttC+HgpkCBToOYqOmJND6dP5k6/eOSqSnMj0/zN43C
GlrIKF3tXwvKl5fJXLDQX0gbe39l2K8svBpBmIb1FqSJ3dHaSu5Udq8jvuc7v2XQ
tmPXWPeXPtSuLeMFxOoaRw+jsCeZb8obDIpo4jh5lacJwP38WFDP1QQQ3dRPQEOk
LaNPLCxNB2UGSPchwpsufhp8ey6pbHw4dGjJaHBeiViQt/xGwMnCoCMTtQl47Wa8
LEhKooNhVeZY+6Fy/UxPgz9f9qX889OoNLnmDUT452WXZhH330mNZQBnhf/yeWO4
xhxAgar/h+4oOzT4Sefb6ArKZVrhva5r8GvLnnmKFpaBfAihNvyIix9kzZiyLujo
M1MQJ/cFfQjKBiz2rI3z
=CspO
-----END PGP SIGNATURE-----


More information about the Dev mailing list