[strongSwan-dev] RFC 6054 support with HA plugin

Emeric POUPON emeric.poupon at stormshield.eu
Fri Mar 30 17:14:44 CEST 2018


I am concerned about AES-GCM issues related to segment responsibility changes (see https://tools.ietf.org/html/rfc6311#section-3.4)

https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards states RFC6454 is supported.
Could you please provide more details about it?

As far as I understand, each member of the cluster should have a unique SID assigned and use this SID when emitting packets from the kernel stack.

This raises several questions:
- how does the userland set the sid in the kernel?
- how is the sid is computed so that it is unique within the cluster? How many bits are reserved for this sid?



More information about the Dev mailing list