Bug 200282 - [ipsec] [patch] Send SADB_EXPIRE message to keying daemons when hard lifetimes of IPsec SAs are reached
Summary: [ipsec] [patch] Send SADB_EXPIRE message to keying daemons when hard lifetime...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Andrey V. Elsukov
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-05-18 14:14 UTC by Tobias Brunner
Modified: 2015-06-02 03:52 UTC (History)
2 users (show)

See Also:


Attachments
Send hard expires when SAs are destroyed (2.71 KB, patch)
2015-05-18 14:14 UTC, Tobias Brunner
no flags Details | Diff
Check HARD liftime first (3.72 KB, patch)
2015-05-18 15:59 UTC, Andrey V. Elsukov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Brunner 2015-05-18 14:14:47 UTC
Created attachment 156874 [details]
Send hard expires when SAs are destroyed

The FreeBSD kernel currently does not send an SADB_EXPIRE when the hard lifetime of an IPsec SA expires (so this affects all releases, not only 11). Some keying daemons rely on these messages to learn when IPsec SAs are to be deleted (e.g. because they don't set their own timers to do so).

According to RFC 2367, section 3.1.8 the kernel should probably send an SADB_EXPIRE when the hard lifetime is reached anyway:

    The operating system kernel is responsible for tracking SA
    expirations for security protocols that are implemented inside the
    kernel. If the soft limit or hard limit of a Security Association
    has expired for a security protocol implemented inside the kernel,
    then the kernel MUST issue an SADB_EXPIRE message to all key socket
    listeners.

It continues with:

    If a HARD lifetime extension is included, it indicates that the HARD
    lifetime expired. This means the association MAY be deleted already
    from the SADB. If a SOFT lifetime extension is included, it indicates
    that the SOFT lifetime expired.

With the attached patch applied hard expires as defined above are sent when the hard lifetime of an IPsec SA is reached.
Comment 1 Andrey V. Elsukov freebsd_committer 2015-05-18 15:59:40 UTC
Created attachment 156880 [details]
Check HARD liftime first

Hi Tobias,

RFC 2367 says that "HARD lifetimes MUST take precedence over SOFT lifetimes, meaning if the HARD and SOFT lifetimes are the same,the HARD lifetime will appear on the EXPIRE message." Can you test this patch for such cases?
Comment 2 Tobias Brunner 2015-05-18 16:32:43 UTC
Ah, great.  Yes, that's an issue I mentioned in bug #200283 (currently SAs with only a hard lifetime don't actually expire at all).

I tested the patch and it works as expected, IPsec SAs with only a hard lifetime expire now.
Comment 3 commit-hook freebsd_committer 2015-05-19 08:30:52 UTC
A commit references this bug:

Author: ae
Date: Tue May 19 08:30:04 UTC 2015
New revision: 283101
URL: https://svnweb.freebsd.org/changeset/base/283101

Log:
  Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD
  extension header type. The key_flush_sad() now will send SADB_EXPIRE
  message when HARD lifetime expires. This is required by RFC 2367 and some
  keying daemons rely on these messages. HARD lifetime messages have
  precedence over SOFT lifetime messages, so now they will be checked first.
  Also now SADB_EXPIRE messages will be send even the SA has not been used,
  because keying daemons might want to rekey such SA.

  PR:		200282, 200283
  Submitted by:	Tobias Brunner <tobias at strongswan dot org>
  MFC after:	2 weeks

Changes:
  head/sys/netipsec/key.c
Comment 4 commit-hook freebsd_committer 2015-06-02 03:52:29 UTC
A commit references this bug:

Author: ae
Date: Tue Jun  2 03:51:34 UTC 2015
New revision: 283903
URL: https://svnweb.freebsd.org/changeset/base/283903

Log:
  MFC r283101:
    Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD
    extension header type. The key_flush_sad() now will send SADB_EXPIRE
    message when HARD lifetime expires. This is required by RFC 2367 and some
    keying daemons rely on these messages. HARD lifetime messages have
    precedence over SOFT lifetime messages, so now they will be checked first.
    Also now SADB_EXPIRE messages will be send even the SA has not been used,
    because keying daemons might want to rekey such SA.

    PR:		200282, 200283

  MFC r283102:
    Change SA's state before sending SADB_EXPIRE message. This state will
    be reported to keying daemon.

Changes:
_U  stable/10/
  stable/10/sys/netipsec/key.c
Comment 5 Andrey V. Elsukov freebsd_committer 2015-06-02 03:52:49 UTC
Fixed in head/ and stable/10. Thanks!