[strongSwan] MOBIKE switching bug in gateway with two external interfaces

Simon Chan simon.chan3 at yahoo.ca
Fri Mar 9 00:06:31 CET 2012


Just plowed through RFC 4555 and 4621 for guidance. The spec says put the currently used address in the IP header
and the rest as additional addresses. Thus excluding "me" in the additional_addresses list is correct.

But there is this sentence in rfc4621, section 6.4:

"To support NAT-T, the IP addresses of the received packet are considered as one address of the peer, even when they are not present in the list."

Seems MOBIKE message processing needs to store the message's source IP addr along with the other ADDITIONAL_IPV4_ADDRESS. Use ike_sa to "remember" this address separately is not safe. It requires

code to add it in the additional_addresses list before it is overwritten by N(UPDATE_SA_ADDRESSES).


To verify this theory, we made the following change in ike_mobike.c:

if (first)
{  /* an
 ADDITIONAL_*_ADDRESS means replace, so flush once */
first = FALSE;

// Added code to seed the IP address in SA in the additional_address list
host = this->ike_sa->get_other_host(this->ike_sa);
host = host->clone(host);
this->ike_sa->add_additional_address(this->ike_sa, host);
After applying this change to a road warrior, it can switch back and forth between the 2 interfaces.

1. Is there reason why the peer IP address in the Security Association not stored in the additional_address list?
2. Can anyone see potential problems with the code change above? 
Not sure if there may be situations when ike_sa->get_other_host() may not return the correct gateway address.
The change tested OK in our lab though.
3. Another possibility
 is to change the gateway side to include "me" in the Mobike additional addresses.
It is easier to upgrade one host than upgrading a fleet of 800 trucks. Similar to Question 1, is there
reason that "me" must be excluded from the Mobike additional addresses?

Thanks in advance for help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120308/eca25559/attachment.html>

More information about the Users mailing list