https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200283
Bug ID: 200283
Summary: [ipsec] [patch] Send soft expire also if IPsec SA has
not been used
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Keywords: patch
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Keywords: patch
Created attachment 156875
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156875&action=edit
Always send a soft expire
The FreeBSD kernel currently only sends an SADB_EXPIRE message when the soft
lifetime expires if the IPsec SA has been used.
Some keying daemons might want to rekey the SA even if it has not been used,
which is not possible if no SADB_EXPIRE message is sent (or only if they set
their own timers to trigger a rekeying).
Also not nice is that currently no soft expire is triggered if the SA is used
after the soft lifetime has already expired.
The attached patch is based on the one I submitted with bug #200282 and removes
the check for the current use time before sending a soft expire.
By the way, wouldn't it make sense to check the hard lifetime also for SAs in
state SADB_SASTATE_MATURE? Otherwise, SAs that only have a hard lifetime set
won't ever expire as they will never enter the state SADB_SASTATE_DYING.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
