[strongSwan-dev] SP update during CHILD SA rekeying

Emeric POUPON emeric.poupon at stormshield.eu
Tue May 15 15:00:59 CEST 2018


> So I guess some updates could be avoided by adding some additional
> checks for changes when adding/removing tracked SAs, but I've currently
> no plans to implement that.

Ok, I think I have something that works (see attached patch), but I am not sure of the solution.
Please tell me what you think about it?

>> The problem is that there seems to be a race in FreeBSD: the SP is not really
>> updated, it is removed and then a new one is added, and unfortunately this is
>> not atomic.
>> Therefore some packets may leave using the default policy.
> 
> Hm, the whole point of doing an update instead of manually removing and
> adding policies is to avoid that.  So probably should be fixed in the
> kernel, right?

You are right, I will try to fix this asap.

Regards,

Emeric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-kernel_pfkey-spd-update-mitigation
Type: text/x-patch
Size: 703 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20180515/19b45046/attachment.patch>


More information about the Dev mailing list