[Bug 200282] [ipsec] [patch] Send SADB_EXPIRE message to keying daemons when hard lifetimes of IPsec SAs are reached
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon May 18 14:14:47 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200282
Bug ID: 200282
Summary: [ipsec] [patch] Send SADB_EXPIRE message to keying
daemons when hard lifetimes of IPsec SAs are reached
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Keywords: patch
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: tobias at strongswan.org
Keywords: patch
Created attachment 156874
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156874&action=edit
Send hard expires when SAs are destroyed
The FreeBSD kernel currently does not send an SADB_EXPIRE when the hard
lifetime of an IPsec SA expires (so this affects all releases, not only 11).
Some keying daemons rely on these messages to learn when IPsec SAs are to be
deleted (e.g. because they don't set their own timers to do so).
According to RFC 2367, section 3.1.8 the kernel should probably send an
SADB_EXPIRE when the hard lifetime is reached anyway:
The operating system kernel is responsible for tracking SA
expirations for security protocols that are implemented inside the
kernel. If the soft limit or hard limit of a Security Association
has expired for a security protocol implemented inside the kernel,
then the kernel MUST issue an SADB_EXPIRE message to all key socket
listeners.
It continues with:
If a HARD lifetime extension is included, it indicates that the HARD
lifetime expired. This means the association MAY be deleted already
from the SADB. If a SOFT lifetime extension is included, it indicates
that the SOFT lifetime expired.
With the attached patch applied hard expires as defined above are sent when the
hard lifetime of an IPsec SA is reached.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list