From owner-freebsd-net@FreeBSD.ORG  Fri Jul 27 09:28:19 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 17CB916A419
	for <freebsd-net@freebsd.org>; Fri, 27 Jul 2007 09:28:19 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id ACE3C13C4A3
	for <freebsd-net@freebsd.org>; Fri, 27 Jul 2007 09:28:18 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zyfb01-66.zyxel.com.tw
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Fri, 27 Jul 2007 17:28:17 +0800
Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Fri, 27 Jul 2007 17:28:17 +0800
Received: from [172.23.17.155] ([172.23.17.155]) by zytwfe01.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Fri, 27 Jul 2007 17:28:16 +0800
Message-ID: <46A9BAB4.9030309@zyxel.com.tw>
Date: Fri, 27 Jul 2007 17:28:20 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: gnn@freebsd.org
References: <46A81171.1040107@zyxel.com.tw>
	<m2y7h21hi4.wl%gnn@neville-neil.com>
In-Reply-To: <m2y7h21hi4.wl%gnn@neville-neil.com>
X-OriginalArrivalTime: 27 Jul 2007 09:28:16.0415 (UTC)
	FILETIME=[763E4AF0:01C7D030]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-net@freebsd.org
Subject: Re: SADB_X_SPDFLUSH message handling for latest version of IPsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2007 09:28:19 -0000

gnn@freebsd.org wrote:

>At Thu, 26 Jul 2007 11:13:53 +0800,
>blue wrote:
>  
>
>>Hi, all:
>>
>>Recently I found the behavior for the command "setkey -FP" is quite 
>>different for the latest version IPsec (known as FAST_IPSEC before). 
>>Before the command would erase all the existed SP entries; currently the 
>>command would not. After digging the codes, I found the state of the SP 
>>entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be 
>>unlink from the SPD. Why needs to keep the entry in SPD? Is there any 
>>special purpose? Without the removal, it's hard to tell whether the SP 
>>entry still takes effect since "setkey -PD" will not show its status. On 
>>the other hand, SA is like usual, once the "setkey -F" is typed in, the 
>>SA entries will be erased right away.
>>    
>>
>
>Can you give an example of this?  On my test systems this works for
>me:
>
>dut2 ? cat /etc/ipsec.conf 
>spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
>spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require;
>add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff;
>dut2 ? setkey -f !$
>setkey -f /etc/ipsec.conf
>dut2 ? setkey -DP
>10.0.0.2[any] 10.0.0.1[any] any
>        in ipsec
>        esp/tunnel/10.0.0.2-10.0.0.1/require
>        spid=13 seq=1 pid=72816
>        refcnt=1
>10.0.0.1[any] 10.0.0.2[any] any
>        out ipsec
>        esp/tunnel/10.0.0.1-10.0.0.2/require
>        spid=12 seq=0 pid=72816
>        refcnt=1
>dut2 ? setkey -D
>10.0.0.1 10.0.0.2 
>        esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
>        E: des-cbc  3ffe0501 4819ffff
>        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
>        created: Jul 22 23:10:07 2007   current: Jul 22 23:10:12 2007
>        diff: 5(s)      hard: 0(s)      soft: 0(s)
>        last:                           hard: 0(s)      soft: 0(s)
>        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>        allocated: 0    hard: 0 soft: 0
>        sadb_seq=0 pid=72817 refcnt=1
>dut2 ? setkey -FP
>dut2 ? setkey -DP
>No SPD entries.
>dut2 ? 
>
>Best,
>George
>
>  
>
Hi,

I was tracing the codes so had the conclusion. in key_spdflush() in 
key.c, the loop

    for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
        SPTREE_LOCK();
        LIST_FOREACH(sp, &sptree[dir], chain)
            sp->state = IPSEC_SPSTATE_DEAD;
        SPTREE_UNLOCK();
    }

only sets policy entry's status as DEAD, but not remove it from the SPD. 
On the other hand, in KAME implementation (known as IPSEC in previous 
FreeBSD version), the SP entry will be removed.

    for (sp = TAILQ_FIRST(&sptailq); sp; sp = nextsp) {
        nextsp = TAILQ_NEXT(sp, tailq);
        if (sp->persist)
            continue;
        if (sp->state == IPSEC_SPSTATE_DEAD)
            continue;
        key_sp_dead(sp);
        key_sp_unlink(sp);
        sp = NULL;
    }

Thanks.

BR,

blue