Re: [Openvpn-devel] [PATCH applied] DCO: support key rotation notifications

Thu, 08 Jun 2023 12:54:04 -0700 

Hi,

On Mon, May 08, 2023 at 06:15:52PM +0200, Kristof Provost wrote:
> I???ve also landed the (FreeBSD) kernel side of that: 
> https://cgit.freebsd.org/src/commit/?id=f7ee28e755820375d5f441e19c1f1376a200e834

I now had (finally) time to test this.

 - Upgraded FreeBSD current to "as of today"
 - modified the kernel to set OVPN_SEQ_ROTATE to "10000" and added
   a printf() call (to make this easier to observe)
 - pinged!

-> and it works nicely, every 10.000 packets, I see my kernel printf()

Jun  8 21:47:24 fbsd14 kernel: ovpn: seq64=10000, need key rotation

and then 

Jun  8 21:47:36 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 UDPv6 WRITE [14] 
to [AF_INET6]2001:608:0:814::f000:3:61067: P_CONTROL_SOFT_RESET_V1 kid=1 [ ] 
pid=0 DATA len=0
...
Jun  8 21:47:36 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 dco_install_key: 
peer_id=0 keyid=1, currently 1 keys installed
Jun  8 21:47:36 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 dco_new_key: slot 
1, key-id 1, peer-id 0, cipher AES-256-GCM
Jun  8 21:48:37 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 Swapping primary 
and secondary keys to primary-id=1 secondary-id=0
Jun  8 21:48:37 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 dco_swap_keys: 
peer-id 0
...
Jun  8 21:50:38 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 dco_install_key: 
peer_id=0 keyid=2, currently 1 keys installed
Jun  8 21:50:38 fbsd14 tun-udp-p2mp[917]: myclient peer-id=0 dco_new_key: slot 
1, key-id 2, peer-id 0, cipher AES-256-GCM


-> so kernel triggers the userland re-keying, userland swaps key in
kernel, ping does not notice...

--- fd00:abcd:114:2::1002 ping6 statistics ---
20000 packets transmitted, 20000 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.249/0.377/11.693/0.150 ms


Good work, folks :-)

gert

PS: Antonio, so where's the Linux side...?

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to