[strongSwan-dev] Packets loss during rekey
hakke_007 at gmx.de
Thu Jan 28 20:40:08 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 01/28/2016 10:12 AM, Avinoam Meir wrote:
> Thank you for the answer.
> 1. Yes, we experience packet loss during rekey.
> 2. What prevents the peer from using the old CHILD SA? also in flight
> packets can be encapsulated with the old CHILD SA and reach the VPN after
> it was deleted.
It's the way the code is written. I of course assumed, your peer system run
strongswan. There's a slim chance in flight packets using the old SA arrive
after the initiator of the rekeying has established the SA. My guess is, the
packets are sent by the responder using the *new* SA while the initiator
has not yet installed the new one.
> On Wed, Jan 27, 2016 at 11:28 PM Thomas Egerer <hakke_007 at gmx.de> wrote:
> On January 27, 2016 2:45:48 PM GMT+01:00, Avinoam Meir <avinoam at google.com>
>>>> Hello StrongSwan devs,
>>>> I have question/proposal about CHILD SAs rekey:
>>>> If I understand correctly, today in rekey task, after creating the new
>>>> CHILD SA, immediately delete task is created and executed. (see here
>>>> This can cause packets loss If the peer gateway sends ESP packets in
>>>> parallel to the rekey, so there are some old ESP packet on the network.
>>>> Maybe StrongSwan can defer the call to kerne_interface->del_sa() for
>>>> inbound CHILD SA (only), so the kernel continue to process esp packets
>>>> the old SAs for a while, and prevent the packet loss.
>>>> What do you think?
> The code you are referring to is part of the is located in the process_i
> function of the child rekey code. At this point the peer should already use
> the rekeyed SA. So your scenario seems quite far fetched and delaying the
> delete job unnecessary.
> Did you experience packet loss during rekeying?
>>>> Dev mailing list
>>>> Dev at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Dev