Subject: Re: bin/28922: racoon leaves old SA's in kernel
To: None <makoto@hauN.org>
From: Kimmo Suominen <kim@tac.nyc.ny.us>
List: netbsd-bugs
Date: 01/10/2005 17:33:20
On Mon, Jan 10, 2005 at 03:39:03PM +0900, ???? ??? wrote:
> In racoon.conf(5)
> >  even when an new SA was established.  The KAME stack has
> >  the switch in the system wide value, net.key.pre-
> >  ferred_oldsa.  when the value is zero, the stack always
> >  use an new SA.
> 
> Apperently KAME-based NetBSD stack != KAME stack here...
> (FAST_IPSEC seems to have this though...)

I'm running with the change shown below -- taken from the FAST_IPSEC
code.  However, it seems this is not quite as trivial to reproduce as
reloading ipsec on one side...

Regards,
+ Kim
-- 
Kimmo Suominen


Index: key.c
===================================================================
RCS file: /cvsroot/src/sys/netkey/key.c,v
retrieving revision 1.126
diff -u -r1.126 key.c
--- key.c	6 Dec 2004 08:07:28 -0000	1.126
+++ key.c	10 Jan 2005 22:29:18 -0000
@@ -132,6 +132,7 @@
 static u_int key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
 static int key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
 static int key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
+static int key_prefered_oldsa = 0;	/* prefered old sa rather than new sa.*/
 
 static u_int32_t acq_seq = 0;
 
@@ -687,11 +688,19 @@
 			panic("key_do_allocsa_policy: "
 				"lifetime_current is NULL.");
 
-		/* XXX What the best method is to compare ? */
-		if (candidate->lft_c->sadb_lifetime_addtime >
+		/* What the best method is to compare ? */
+		if (key_prefered_oldsa) {
+		    if (candidate->lft_c->sadb_lifetime_addtime >
+				    sav->lft_c->sadb_lifetime_addtime) {
+			    candidate = sav;
+		    }
+		    continue;
+		}
+
+		/* prefered new sa rather than old sa */
+		if (candidate->lft_c->sadb_lifetime_addtime <
 				sav->lft_c->sadb_lifetime_addtime) {
 			candidate = sav;
-			continue;
 		}
 	}
 
@@ -7966,6 +7975,11 @@
 		       CTL_NET, PF_KEY, KEYCTL_ESP_KEYMIN, CTL_EOL);
 	sysctl_createv(clog, 0, NULL, NULL,
 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "prefered_oldsa", NULL,
+		       NULL, 0, &key_prefered_oldsa, 0,
+		       CTL_NET, PF_KEY, KEYCTL_PREFERED_OLDSA, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 		       CTLTYPE_INT, "esp_auth", NULL,
 		       NULL, 0, &ipsec_esp_auth, 0,
 		       CTL_NET, PF_KEY, KEYCTL_ESP_AUTH, CTL_EOL);
Index: key_var.h
===================================================================
RCS file: /cvsroot/src/sys/netkey/key_var.h,v
retrieving revision 1.15
diff -u -r1.15 key_var.h
--- key_var.h	27 Aug 2004 04:56:16 -0000	1.15
+++ key_var.h	10 Jan 2005 22:29:18 -0000
@@ -51,7 +51,7 @@
 #define KEYCTL_ESP_KEYMIN		9
 #define KEYCTL_ESP_AUTH			10
 #define KEYCTL_AH_KEYMIN		11
-/* 12: reserved */
+#define KEYCTL_PREFERED_OLDSA		12
 #define KEYCTL_DUMPSA			13
 #define KEYCTL_DUMPSP			14
 #define KEYCTL_MAXID			15
@@ -69,7 +69,7 @@
 	{ "esp_keymin", CTLTYPE_INT }, \
 	{ "esp_auth", CTLTYPE_INT }, \
 	{ "ah_keymin", CTLTYPE_INT }, \
-	{ 0, 0, }, \
+	{ "prefered_oldsa", CTLTYPE_INT }, \
 	{ 0, 0, }, \
 	{ 0, 0, }, \
 }