Re: iked(8): add support for IKEv2 Message Fragmentation

[Stuart Henderson]

On 2019/02/26 16:34, Tobias Heider wrote:
> Hi,
> 
> this diff adds support for IKEv2 Message Fragmentation as defined in
> RFC 7383 (https://tools.ietf.org/html/rfc7383) to iked(8).

Thank you, I know there are quite a few additions in the genua tree and
splitting them out is not easy. I'm running this in a few places now,
have tested both with and without fragmentation, no problems seen.

A couple of nits - manpage part is missing, I propose this:

Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.53
diff -u -p -r1.53 iked.conf.5
--- iked.conf.5 31 Jan 2018 13:25:55 -0000      1.53
+++ iked.conf.5 27 Feb 2019 12:45:46 -0000
@@ -136,6 +136,12 @@ This is the default.
 .It Ic set decouple
 Don't load the negotiated SAs and flows from the kernel.
 This mode is only useful for testing and debugging.
+.It Ic set fragmentation
+Enable IKEv2 Message Fragmentation (RFC 7383) support.
+This allows IKEv2 to operate in environments that might block IP fragments.
+.It Ic set nofragmentation
+Disables IKEv2 Message Fragmentation support.
+This is the default.
 .It Ic set mobike
 Enable MOBIKE (RFC 4555) support.
 This is the default.

There are some over-long lines - it's not fair to require <=80 for
everything in this diff when big parts of iked already exceed this,
but some of the longer ones need reining in e.g.

> Index: sbin/iked/iked.h
..
   
|------------------------------------------------------------------------------|
> +#define IKED_FRAG_TOTAL_MAX  111                     /* upper limit of 
> frag_total (64kB / 576B) */
...#define IKED_FRAG_TOTAL_MAX  111     /* upper limit of frag_total (64kB / 
576B) */

>  struct iked_message *
>        ikev2_msg_lookup(struct iked *, struct iked_msgqueue *,
>           struct iked_message *, struct ike_header *);
> +void  ikev2_msg_lookup_dispose_all(struct iked *env, struct iked_msgqueue 
> *queue,
> +         struct iked_message *msg, struct ike_header *hdr);
> +int   ikev2_msg_lookup_retransmit_all(struct iked *env, struct iked_msgqueue 
> *queue,
> +         struct iked_message *msg, struct ike_header *hdr, struct iked_sa 
> *sa);
...(split onto another line)

> Index: sbin/iked/ikev2.c
..
> -             if ((m = ikev2_msg_lookup(env, &sa->sa_responses, msg, hdr))) {
> -                     if (ikev2_msg_retransmit_response(env, sa, m)) {
> +             if ((r = ikev2_msg_lookup_retransmit_all(env, 
> &sa->sa_responses, msg, hdr, sa)) != 0) {
> +                     if (r == -1) {
...(and here)

I've done that in my tree.

Are there comments from anyone else?