A SA is in-use if it is referred to by a policy. Remove it from the policy and
no more traffic will use it. If you’re doing that with the workers running,
then wait one worker loop before deleting the SA.
/neale
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of jiangxiaoming via
lists.fd.io <jiangxiaoming=outlook....@lists.fd.io>
Date: Monday, 21 November 2022 at 12:30
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] There is bug in esp decrypt
Hi neale,
Currently there is only one way detecting whether the sa is in using by
checking sa counter. But if the ike is timeout and is rekeying the sa which
first used by ipsec4-input-feature, the sa may has been deleted in esp_encrypt
node.
I rewrite the ike plugin, in my test case, there are 10k ike sessions with 20k
sa in ipsec layer, and the ike timeout is 30s sa rekey timeout is 10s. The
esp_encrypt node crashed frequently.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22223): https://lists.fd.io/g/vpp-dev/message/22223
Mute This Topic: https://lists.fd.io/mt/95086868/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
