<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=big5">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="chmetcnv"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:新細明體;
        panose-1:2 2 3 0 0 0 0 0 0 0;}
@font-face
        {font-family:"\@新細明體";
        panose-1:2 2 3 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:新細明體;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p
        {mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:新細明體;}
span.EmailStyle18
        {mso-style-type:personal-compose;}
@page Section1
        {size:595.3pt 841.9pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
        {page:Section1;}
-->
</style>
</head>
<body lang=ZH-TW link=blue vlink=purple>
<div class=Section1>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>On
2009-07-29 06:33, David McCullough wrote:</span></font><span lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Jivin Paul
Wouters lays it down ...</span></font><span lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> > On Wed,
22 Jul 2009, willer.wang@??? wrote:</span></font><span lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> ></span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> >> 3.
I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the
time. Preventing to rebuild a same SA?</span></font><span lang=EN-US><o:p></o:p></span></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>> ></span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> > To
ensure a seamless transition, the old receiving SA's are kept until</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> > traffic
arrives on the new SA. On the outgoing SA, I believe we drop</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> > the old
one as soon as we are ready to use the new one for traffic.</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Yep, I
thought that to, but it seems that something is definately broken.</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> I can see
the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time. </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Most
certainly seems to be rekey related.</span></font><span lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Hopefully it
won't take too long to track the offending refcount discrepancy</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> and get this
fixed ;-)</span></font><span lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Cheers,</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> Davidm</span></font><span
lang=EN-US> <br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>> </span></font><span
lang=EN-US><br>
</span><font size=2><span lang=EN-US style='font-size:10.0pt'>><o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>I found a
strange point about this problem. <o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>As I said
before, an expired SA did not free related OCF resource.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>Here is my
observing, an outbound SA like <a href="mailto:esp.e43d2490@10.0.0.1">esp.e43d2490@10.0.0.1</a>
expired.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>Now it
enter the function “ipsec_sa_rm( )”with refcount=3 , ocf_in_use=1.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>Because of
the refcount >1, this SA just be removed from hash table, but will not enter
the function “ipsec_sa_wipe( )”.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>However,
this expired SA finally enter the function ipsec_sa_wipe( ) because
the refcount become 0.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>But now,
the ocf_in_use flag of this SA also become “<st1:chmetcnv TCSC="0"
NumberType="1" Negative="False" HasSpace="False" SourceValue="0" UnitName="”"
w:st="on">0”</st1:chmetcnv>, and will not enter “ipsec_ocf_sa_free( )”.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>So the
related OCF resourced became always kept.<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>I really
can not understand why the ocf_in_use of this SA can become 0 before entering ipsec_ocf_sa_free(
).<o:p></o:p></span></font></p>
<p><font size=2 face=新細明體><span lang=EN-US style='font-size:10.0pt'>Can someone
give me advice about this problem?<o:p></o:p></span></font></p>
<p><font size=3 face=新細明體><span lang=EN-US style='font-size:12.0pt'>Thx~<o:p></o:p></span></font></p>
</div>
</body>
</html><br><HR>This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or<br>confidential information that is the property of CyberTAN and protected by law from disclosure.<br>If you are not an intended recipient of this transmission and you received it in error,<br>please inform the sender by reply e-mail and destroy this and all other copies of this transmission<br>to which you have access. Thank you.