[Bug 200283] [ipsec] [patch] Send soft expire also if IPsec SA has not been used

Mon May 18 14:28:35 UTC 2015

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200283

            Bug ID: 200283
           Summary: [ipsec] [patch] Send soft expire also if IPsec SA has
                    not been used
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tobias at strongswan.org
          Keywords: patch

Created attachment 156875
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156875&action=edit
Always send a soft expire

The FreeBSD kernel currently only sends an SADB_EXPIRE message when the soft
lifetime expires if the IPsec SA has been used.

Some keying daemons might want to rekey the SA even if it has not been used,
which is not possible if no SADB_EXPIRE message is sent (or only if they set
their own timers to trigger a rekeying).

Also not nice is that currently no soft expire is triggered if the SA is used
after the soft lifetime has already expired.

The attached patch is based on the one I submitted with bug #200282 and removes
the check for the current use time before sending a soft expire.

By the way, wouldn't it make sense to check the hard lifetime also for SAs in
state SADB_SASTATE_MATURE? Otherwise, SAs that only have a hard lifetime set
won't ever expire as they will never enter the state SADB_SASTATE_DYING.

-- 
You are receiving this mail because:
You are the assignee for the bug.