New commits:
commit 8c7726812ad1be28467b120af1e43c0ef51ff39e
Author: Nupur Agrawal <[email protected]>
Date: Mon Jun 8 11:15:00 2020 +0530
IKEv2: Adds preliminary support for session resumption (rfc-5723)
Some notes on the merge (by Andrew Cagney):
- the original patch was forced to heavily modify the
IKE_SA_INIT code in ikev2_parent.[hc]
Since then the IKE_SA_INIT code had been overhauled and
moved to ikev2_ike_sa_init.[hc]. Before the merge, the code
was further refactored, creating ikev2_unsecured.[hc].
Consequently, most of the original changes to IKE_SA_INIT
in ikev2_parent.[hc] could be eliminated making
ikev2_ike_session_resume.c is much smaller.
- consistent with the times, the original patch
added states and transitions to the IKEv2 state m/c
Since then states and transitions have been wrapped
in exchanges.
Consequently, the patch's states and transitions
needed a v2_IKE_SESSION_RESUME_exchange wrapper.
- the original patch had to sprinkle .st_resuming over
the IKE_AUTH code in ikev2_parent.[hc]
While much of the IKE_AUTH code has moved to
ikev2_ike_auth.c the PSK/PPK/NULL code is little
changed (it could do with an overhaul, see #1947).
Consequently, the .st_resuming changes were
moved straight over.
- the original patch, just like the PPK code,
had its own version of the KEYMAT code
Before merging, the existing KEYMAT code was
re-structured with the duplicate PPK code
eliminated.
Consequently, the SKEYSEED code was greatly
simplified.
Known limitations:
- the ticket is neither protected nor encrypted
A PEXPECT to this effect is logged
see: double encrypt the resume payload #1940
- the ticket expiration isn't perfect
for instance, when to discard tickets has edge cases
see: session resume would like to know the re-authentication time #1935
- the ticket format needs a review
for instance, the ID needs to be a proper string
see: rework str_id() when serializing the ID #1934
- NSS's SKEYSEED isn't being used
instead the NSS code uses the MAC SKEYSEED et.al.
see: SKEYSEED = prf(SK_d (old), "Resumption" | Ni | Nr) #1931
- the IKE_SESSION_RESUME request is missing most notifies
for instance, REDIRECT, it's a consequence of separating out the code
see: refactor record_v2_{IKE_SA_INIT,IKE_SESSION_RESUME}_request() notify
code (ditto receivers) #1941
- COOKIE and REDIRECT need work
minimally, the code needs to trade notifies and be tested
see: handle cookie response when IKE_SESSION_RESUME request #1932
see: handle redirect response when an IKE_SESSION_RESUME request #1948
- there's no `ipsec suspend <connection>` command
the new command set post-dates the patch
see: ipsec suspend connection #1942
close #436 Merge GSoC IKE RESUME Exchange code
close #1941 refactor record_v2_{IKE_SA_INIT,IKE_SESSION_RESUME}_request()
notify code (ditto receivers)
Signed-off-by: Andrew Cagney <[email protected]>
_______________________________________________
Swan-commit mailing list -- [email protected]
To unsubscribe send an email to [email protected]
