Re: when having to acquire an SA, ipsec drops the packet

On Mon, 2007-03-05 at 22:21 -0500, James Morris wrote: On Mon, 5 Mar 2007, Joy Latten wrote: 5. Around the time the set of SAs for OUT direction are to be inserted into SAD, I see another ACQUIRE happening. I have not yet figured out where this second ACQUIRE comes from

Re: when having to acquire an SA, ipsec drops the packet

On Tue, 6 Mar 2007, Joy Latten wrote: I saw something similar to this some time ago when testing various failure modes, and discused it with Herbert. IIRC, there's a larval SA which is not torn down properly by Racoon once the full SA is established, and the larval SA keeps resending

Re: when having to acquire an SA, ipsec drops the packet

From: Joy Latten [EMAIL PROTECTED] Date: Mon, 05 Feb 2007 14:53:39 -0600 I can run some tests with this patch and report any results... Please check out the two most recent patches I posted: 1) Updated core patch with ipv6 side added. 2) Fix for thinko noticed by Venkat. I have been testing

Re: when having to acquire an SA, ipsec drops the packet

From: Joy Latten [EMAIL PROTECTED] Date: Mon, 05 Feb 2007 14:53:39 -0600 I can run some tests with this patch and report any results... Please check out the two most recent patches I posted: 1) Updated core patch with ipv6 side added. 2) Fix for thinko noticed by Venkat. Just a quick update.

Re: when having to acquire an SA, ipsec drops the packet

On Sun, 4 Feb 2007, David Miller wrote: Something like this (untested) on the ipv4 side, for example: Looks like it should work. Will do some testing. -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL

Re: when having to acquire an SA, ipsec drops the packet

On Mon, 5 Feb 2007, James Morris wrote: On Sun, 4 Feb 2007, David Miller wrote: Something like this (untested) on the ipv4 side, for example: Looks like it should work. Will do some testing. Appears to work well, with a slight delay on the first packet as expected. Tested with tcp,

RE: when having to acquire an SA, ipsec drops the packet

Something like this (untested) on the ipv4 side, for example: diff --git a/include/net/route.h b/include/net/route.h index 486e37a..a8af632 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -146,7 +146,8 @@ static inline char rt_tos2priority(u8 tos) static inline int

Re: when having to acquire an SA, ipsec drops the packet

On Thu, 2007-02-01 at 18:44 -0500, James Morris wrote: On Thu, 1 Feb 2007, Joy Latten wrote: IPsec returns EAGAIN when it needs to acquire an SA. There have been a thread or two about this... Has there been any info or progress in how best to fix this? James Morris presented some

Re: when having to acquire an SA, ipsec drops the packet

From: James Morris [EMAIL PROTECTED] Date: Mon, 5 Feb 2007 15:34:39 -0500 (EST) On Mon, 5 Feb 2007, James Morris wrote: On Sun, 4 Feb 2007, David Miller wrote: Something like this (untested) on the ipv4 side, for example: Looks like it should work. Will do some testing.

Re: when having to acquire an SA, ipsec drops the packet

I can run some tests with this patch and report any results... Regards, Joy On Sun, 2007-02-04 at 20:53 -0800, David Miller wrote: From: James Morris [EMAIL PROTECTED] Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST) A quick dirty solution, which is what I think the BSD kernels do, is to

Re: when having to acquire an SA, ipsec drops the packet

From: Venkat Yekkirala [EMAIL PROTECTED] Date: Mon, 5 Feb 2007 14:49:17 -0600 Something like this (untested) on the ipv4 side, for example: diff --git a/include/net/route.h b/include/net/route.h index 486e37a..a8af632 100644 --- a/include/net/route.h +++ b/include/net/route.h @@

Re: when having to acquire an SA, ipsec drops the packet

From: Joy Latten [EMAIL PROTECTED] Date: Mon, 05 Feb 2007 14:53:39 -0600 I can run some tests with this patch and report any results... Please check out the two most recent patches I posted: 1) Updated core patch with ipv6 side added. 2) Fix for thinko noticed by Venkat. Thanks. - To

Re: when having to acquire an SA, ipsec drops the packet

From: James Morris [EMAIL PROTECTED] Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST) A quick dirty solution, which is what I think the BSD kernels do, is to still drop the packet but just not return an error to the app. The app then just sees a slight delay on the initial connection, as if a

Re: when having to acquire an SA, ipsec drops the packet

On Thursday, February 1 2007 6:44 pm, James Morris wrote: On Thu, 1 Feb 2007, Joy Latten wrote: When using labeled xfrms (xfrms that contain a security context), there is potential for a greater amount of SAs to be created than when using regular xfrms. An SA may be created every time a

when having to acquire an SA, ipsec drops the packet

IPsec returns EAGAIN when it needs to acquire an SA. There have been a thread or two about this... Has there been any info or progress in how best to fix this? James Morris presented some work/ideas, http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf When using labeled xfrms

Re: when having to acquire an SA, ipsec drops the packet

On Thu, 1 Feb 2007, Joy Latten wrote: IPsec returns EAGAIN when it needs to acquire an SA. There have been a thread or two about this... Has there been any info or progress in how best to fix this? James Morris presented some work/ideas,