Subject: Re: bin/28922: racoon leaves old SA's in kernel
To: None <makoto@hauN.org>
From: Kimmo Suominen <kim@tac.nyc.ny.us>
List: netbsd-bugs
Date: 01/10/2005 17:33:20
On Mon, Jan 10, 2005 at 03:39:03PM +0900, ???? ??? wrote:
> In racoon.conf(5)
> > even when an new SA was established. The KAME stack has
> > the switch in the system wide value, net.key.pre-
> > ferred_oldsa. when the value is zero, the stack always
> > use an new SA.
>
> Apperently KAME-based NetBSD stack != KAME stack here...
> (FAST_IPSEC seems to have this though...)
I'm running with the change shown below -- taken from the FAST_IPSEC
code. However, it seems this is not quite as trivial to reproduce as
reloading ipsec on one side...
Regards,
+ Kim
--
Kimmo Suominen
Index: key.c
===================================================================
RCS file: /cvsroot/src/sys/netkey/key.c,v
retrieving revision 1.126
diff -u -r1.126 key.c
--- key.c 6 Dec 2004 08:07:28 -0000 1.126
+++ key.c 10 Jan 2005 22:29:18 -0000
@@ -132,6 +132,7 @@
static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
+static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/
static u_int32_t acq_seq = 0;
@@ -687,11 +688,19 @@
panic("key_do_allocsa_policy: "
"lifetime_current is NULL.");
- /* XXX What the best method is to compare ? */
- if (candidate->lft_c->sadb_lifetime_addtime >
+ /* What the best method is to compare ? */
+ if (key_prefered_oldsa) {
+ if (candidate->lft_c->sadb_lifetime_addtime >
+ sav->lft_c->sadb_lifetime_addtime) {
+ candidate = sav;
+ }
+ continue;
+ }
+
+ /* prefered new sa rather than old sa */
+ if (candidate->lft_c->sadb_lifetime_addtime <
sav->lft_c->sadb_lifetime_addtime) {
candidate = sav;
- continue;
}
}
@@ -7966,6 +7975,11 @@
CTL_NET, PF_KEY, KEYCTL_ESP_KEYMIN, CTL_EOL);
sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "prefered_oldsa", NULL,
+ NULL, 0, &key_prefered_oldsa, 0,
+ CTL_NET, PF_KEY, KEYCTL_PREFERED_OLDSA, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "esp_auth", NULL,
NULL, 0, &ipsec_esp_auth, 0,
CTL_NET, PF_KEY, KEYCTL_ESP_AUTH, CTL_EOL);
Index: key_var.h
===================================================================
RCS file: /cvsroot/src/sys/netkey/key_var.h,v
retrieving revision 1.15
diff -u -r1.15 key_var.h
--- key_var.h 27 Aug 2004 04:56:16 -0000 1.15
+++ key_var.h 10 Jan 2005 22:29:18 -0000
@@ -51,7 +51,7 @@
#define KEYCTL_ESP_KEYMIN 9
#define KEYCTL_ESP_AUTH 10
#define KEYCTL_AH_KEYMIN 11
-/* 12: reserved */
+#define KEYCTL_PREFERED_OLDSA 12
#define KEYCTL_DUMPSA 13
#define KEYCTL_DUMPSP 14
#define KEYCTL_MAXID 15
@@ -69,7 +69,7 @@
{ "esp_keymin", CTLTYPE_INT }, \
{ "esp_auth", CTLTYPE_INT }, \
{ "ah_keymin", CTLTYPE_INT }, \
- { 0, 0, }, \
+ { "prefered_oldsa", CTLTYPE_INT }, \
{ 0, 0, }, \
{ 0, 0, }, \
}