From owner-freebsd-bugs@FreeBSD.ORG Mon May 18 14:28:35 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20A5A670 for ; Mon, 18 May 2015 14:28:35 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E53871F7C for ; Mon, 18 May 2015 14:28:34 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t4IESY6q070078 for ; Mon, 18 May 2015 14:28:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200283] [ipsec] [patch] Send soft expire also if IPsec SA has not been used Date: Mon, 18 May 2015 14:28:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tobias@strongswan.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 14:28:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200283 Bug ID: 200283 Summary: [ipsec] [patch] Send soft expire also if IPsec SA has not been used Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: tobias@strongswan.org Keywords: patch Created attachment 156875 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156875&action=edit Always send a soft expire The FreeBSD kernel currently only sends an SADB_EXPIRE message when the soft lifetime expires if the IPsec SA has been used. Some keying daemons might want to rekey the SA even if it has not been used, which is not possible if no SADB_EXPIRE message is sent (or only if they set their own timers to trigger a rekeying). Also not nice is that currently no soft expire is triggered if the SA is used after the soft lifetime has already expired. The attached patch is based on the one I submitted with bug #200282 and removes the check for the current use time before sending a soft expire. By the way, wouldn't it make sense to check the hard lifetime also for SAs in state SADB_SASTATE_MATURE? Otherwise, SAs that only have a hard lifetime set won't ever expire as they will never enter the state SADB_SASTATE_DYING. -- You are receiving this mail because: You are the assignee for the bug.