Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 May 2015 14:14:47 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 200282] [ipsec] [patch] Send SADB_EXPIRE message to keying daemons when hard lifetimes of IPsec SAs are reached
Message-ID:  <bug-200282-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200282

            Bug ID: 200282
           Summary: [ipsec] [patch] Send SADB_EXPIRE message to keying
                    daemons when hard lifetimes of IPsec SAs are reached
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tobias@strongswan.org
          Keywords: patch

Created attachment 156874
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156874&action=edit
Send hard expires when SAs are destroyed

The FreeBSD kernel currently does not send an SADB_EXPIRE when the hard
lifetime of an IPsec SA expires (so this affects all releases, not only 11).
Some keying daemons rely on these messages to learn when IPsec SAs are to be
deleted (e.g. because they don't set their own timers to do so).

According to RFC 2367, section 3.1.8 the kernel should probably send an
SADB_EXPIRE when the hard lifetime is reached anyway:

    The operating system kernel is responsible for tracking SA
    expirations for security protocols that are implemented inside the
    kernel. If the soft limit or hard limit of a Security Association
    has expired for a security protocol implemented inside the kernel,
    then the kernel MUST issue an SADB_EXPIRE message to all key socket
    listeners.

It continues with:

    If a HARD lifetime extension is included, it indicates that the HARD
    lifetime expired. This means the association MAY be deleted already
    from the SADB. If a SOFT lifetime extension is included, it indicates
    that the SOFT lifetime expired.

With the attached patch applied hard expires as defined above are sent when the
hard lifetime of an IPsec SA is reached.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200282-8>