200283 – [ipsec] [patch] Send soft expire also if IPsec SA has not been used

Bug 200283 - [ipsec] [patch] Send soft expire also if IPsec SA has not been used

Summary: [ipsec] [patch] Send soft expire also if IPsec SA has not been used

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Andrey V. Elsukov

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2015-05-18 14:28 UTC by Tobias Brunner
Modified:	2015-06-02 03:52 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Always send a soft expire (868 bytes, patch) 2015-05-18 14:28 UTC, Tobias Brunner	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tobias Brunner 2015-05-18 14:28:35 UTC

Created attachment 156875 [details]
Always send a soft expire

The FreeBSD kernel currently only sends an SADB_EXPIRE message when the soft lifetime expires if the IPsec SA has been used.

Some keying daemons might want to rekey the SA even if it has not been used, which is not possible if no SADB_EXPIRE message is sent (or only if they set their own timers to trigger a rekeying).

Also not nice is that currently no soft expire is triggered if the SA is used after the soft lifetime has already expired.

The attached patch is based on the one I submitted with bug #200282 and removes the check for the current use time before sending a soft expire.

By the way, wouldn't it make sense to check the hard lifetime also for SAs in state SADB_SASTATE_MATURE? Otherwise, SAs that only have a hard lifetime set won't ever expire as they will never enter the state SADB_SASTATE_DYING.

Comment 1 commit-hook freebsd_committer

2015-05-19 08:30:54 UTC

A commit references this bug:

Author: ae
Date: Tue May 19 08:30:05 UTC 2015
New revision: 283101
URL: https://svnweb.freebsd.org/changeset/base/283101

Log:
  Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD
  extension header type. The key_flush_sad() now will send SADB_EXPIRE
  message when HARD lifetime expires. This is required by RFC 2367 and some
  keying daemons rely on these messages. HARD lifetime messages have
  precedence over SOFT lifetime messages, so now they will be checked first.
  Also now SADB_EXPIRE messages will be send even the SA has not been used,
  because keying daemons might want to rekey such SA.

  PR:		200282, 200283
  Submitted by:	Tobias Brunner <tobias at strongswan dot org>
  MFC after:	2 weeks

Changes:
  head/sys/netipsec/key.c

Comment 2 Andrey V. Elsukov freebsd_committer

2015-06-02 03:52:23 UTC

Fixed in head/ and stable/10. Thanks!

Comment 3 commit-hook freebsd_committer

2015-06-02 03:52:30 UTC

A commit references this bug:

Author: ae
Date: Tue Jun  2 03:51:34 UTC 2015
New revision: 283903
URL: https://svnweb.freebsd.org/changeset/base/283903

Log:
  MFC r283101:
    Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD
    extension header type. The key_flush_sad() now will send SADB_EXPIRE
    message when HARD lifetime expires. This is required by RFC 2367 and some
    keying daemons rely on these messages. HARD lifetime messages have
    precedence over SOFT lifetime messages, so now they will be checked first.
    Also now SADB_EXPIRE messages will be send even the SA has not been used,
    because keying daemons might want to rekey such SA.

    PR:		200282, 200283

  MFC r283102:
    Change SA's state before sending SADB_EXPIRE message. This state will
    be reported to keying daemon.

Changes:
_U  stable/10/
  stable/10/sys/netipsec/key.c