-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Martin, *,
our hardcore-rekeying test (every 2 seconds) revealed another flaw whenever one of the peers has an SA configured to be restarted on close (dpdaction restart). If the peer with the SA configured to be restarted wins the rekey collision it honors the restart action once the other peers sends a delete notification, and reinitiates the (actually duplicate) SA. This results in a growing number of superseded child sas (which I cleverly configured to time out in an infinite time, i.e. never). So after quite some runtime of the test I can count the impressive number of 22'000 child sas never to be used again. The attached patch introduces a new data member to the child sa, that can be used to set and retrieve information on whether the child is going to be deleted by the peer, so that the SAs delete action is going to be ignored. Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkwEvDMACgkQDXd94wpQmdypnwCgiZXP1k17iXsrvAMDqpt9FrO4 y78An0Dmwbmbvmfr1DNLqbgByFPz6GOz =f2ML -----END PGP SIGNATURE----- _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
