'Re: [Ipsec-tools-devel] leaking phase 2 SAs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] leaking phase 2 SAs
From:       Timo_Teräs <timo.teras () iki ! fi>
Date:       2008-12-03 10:39:02
Message-ID: 493661C6.6080101 () iki ! fi
[Download RAW message or body]

VANHULLEBUS Yvan wrote:
> On Tue, Dec 02, 2008 at 06:57:52PM -0800, Paul Moore wrote:
>> When racoon receives an informational delete from a peer it only deletes
>> the SA that is mentioned in the message.
> 
> Yes.
> 
>> It does not delete the
>> associated SA. The result is that I end up with a spare SA (which does
>> not get reused if another acquire comes for the same peer)
> 
> Right.
> That SA will be flushed when it times out.
> 
>> when racoon sends an informational delete it delete both SAs from the
>> kernel's SADB;
> 
> The most common case when racoon sends DELETE_SA is when it shuts
> down. And yes, at that time, it flushes all SAs in kernel's SADB...
> 
>> but only sends one SPI in the message. I.e racoon knows
>> that sending a delete means that both SPI of the pair are dead, but it
>> doesnt clean both up when it receives the single SPI delete
> 
> The logic behind that is that you do really have to know that the SA
> you're using to talk with me is not available anymore, so you know you
> won't have to use it anymore.
> 
> You don't really need to know that the other one is also dead: you
> just won't receive anymore packets using it.
> 
> There have been some comments in code for a long time about such
> logic, and, to be honest, the patched version we ship to our customers
> doesn't use this logic, but deletes both incoming/outgoing SA.
> 
> If that's ok for everyone, I'll commit that patch on HEAD soon.

+1

- Timo

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic