Date: Mon, 18 May 2015 14:28:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200283] [ipsec] [patch] Send soft expire also if IPsec SA has not been used Message-ID: <bug-200283-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200283 Bug ID: 200283 Summary: [ipsec] [patch] Send soft expire also if IPsec SA has not been used Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: tobias@strongswan.org Keywords: patch Created attachment 156875 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156875&action=edit Always send a soft expire The FreeBSD kernel currently only sends an SADB_EXPIRE message when the soft lifetime expires if the IPsec SA has been used. Some keying daemons might want to rekey the SA even if it has not been used, which is not possible if no SADB_EXPIRE message is sent (or only if they set their own timers to trigger a rekeying). Also not nice is that currently no soft expire is triggered if the SA is used after the soft lifetime has already expired. The attached patch is based on the one I submitted with bug #200282 and removes the check for the current use time before sending a soft expire. By the way, wouldn't it make sense to check the hard lifetime also for SAs in state SADB_SASTATE_MATURE? Otherwise, SAs that only have a hard lifetime set won't ever expire as they will never enter the state SADB_SASTATE_DYING. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200283-8>