Created attachment 156874 [details] Send hard expires when SAs are destroyed The FreeBSD kernel currently does not send an SADB_EXPIRE when the hard lifetime of an IPsec SA expires (so this affects all releases, not only 11). Some keying daemons rely on these messages to learn when IPsec SAs are to be deleted (e.g. because they don't set their own timers to do so). According to RFC 2367, section 3.1.8 the kernel should probably send an SADB_EXPIRE when the hard lifetime is reached anyway: The operating system kernel is responsible for tracking SA expirations for security protocols that are implemented inside the kernel. If the soft limit or hard limit of a Security Association has expired for a security protocol implemented inside the kernel, then the kernel MUST issue an SADB_EXPIRE message to all key socket listeners. It continues with: If a HARD lifetime extension is included, it indicates that the HARD lifetime expired. This means the association MAY be deleted already from the SADB. If a SOFT lifetime extension is included, it indicates that the SOFT lifetime expired. With the attached patch applied hard expires as defined above are sent when the hard lifetime of an IPsec SA is reached.
Created attachment 156880 [details] Check HARD liftime first Hi Tobias, RFC 2367 says that "HARD lifetimes MUST take precedence over SOFT lifetimes, meaning if the HARD and SOFT lifetimes are the same,the HARD lifetime will appear on the EXPIRE message." Can you test this patch for such cases?
Ah, great. Yes, that's an issue I mentioned in bug #200283 (currently SAs with only a hard lifetime don't actually expire at all). I tested the patch and it works as expected, IPsec SAs with only a hard lifetime expire now.
A commit references this bug: Author: ae Date: Tue May 19 08:30:04 UTC 2015 New revision: 283101 URL: https://svnweb.freebsd.org/changeset/base/283101 Log: Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD extension header type. The key_flush_sad() now will send SADB_EXPIRE message when HARD lifetime expires. This is required by RFC 2367 and some keying daemons rely on these messages. HARD lifetime messages have precedence over SOFT lifetime messages, so now they will be checked first. Also now SADB_EXPIRE messages will be send even the SA has not been used, because keying daemons might want to rekey such SA. PR: 200282, 200283 Submitted by: Tobias Brunner <tobias at strongswan dot org> MFC after: 2 weeks Changes: head/sys/netipsec/key.c
A commit references this bug: Author: ae Date: Tue Jun 2 03:51:34 UTC 2015 New revision: 283903 URL: https://svnweb.freebsd.org/changeset/base/283903 Log: MFC r283101: Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD extension header type. The key_flush_sad() now will send SADB_EXPIRE message when HARD lifetime expires. This is required by RFC 2367 and some keying daemons rely on these messages. HARD lifetime messages have precedence over SOFT lifetime messages, so now they will be checked first. Also now SADB_EXPIRE messages will be send even the SA has not been used, because keying daemons might want to rekey such SA. PR: 200282, 200283 MFC r283102: Change SA's state before sending SADB_EXPIRE message. This state will be reported to keying daemon. Changes: _U stable/10/ stable/10/sys/netipsec/key.c
Fixed in head/ and stable/10. Thanks!