[Openswan dev] Phase 2 Negotiation Reliability

Michael Richardson mcr at sandelman.ottawa.on.ca
Fri Sep 17 13:23:56 CEST 2004


>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    >> Upon receiption of such a notify, look up each SPI# and see if we
    >> are using it. If we are *not* using it then send a delete.

    Herbert> Yes that sounds like a good way to do it.
    >> I was also thinking ... why is it that message 2 of the phase 2
    >> isn't getting retransmitted longer when message 3 gets lost. The
    >> original thread had some comments from about only 3
    >> retransmits...

    Herbert> Message 2 is sent by the responder who cannot retry
    Herbert> indefinitely.  In IKEv2 each transaction is initiated by
    Herbert> the initiator who can retry indefinitely or give up.

    Herbert> The problem is exacerbated by the fact that openswan only
    Herbert> retries 3 times.  In our case we extended this to 20 times
    Herbert> and it's worked around the problem for now.

  I think that this is a good patch in general.
  Did you just increase MAXIMUM_RETRANSMISSIONS in include/pluto_constants.h?

  I'm thinking that the state structure should have a maximum field, 
which could be initialized to different values.

  Do you think this useful in general?
  I.e. there are states when we want to try harder?

  Thinking about OE, the responder could take a long time to do DNS
lookups, and we might well expire retransmits on that. I don't think
I've ever seen that happen.

    >> Can anyone suggest any netfilter modules that might help to build
    >> a test case? I.e. something that will drop the first n-packets of
    >> a stream. Or maybe I should use QoS for that.

    Herbert> You just need a rule that drops the last message in QM.
    Herbert> Something based on the size of the message should do the
    Herbert> trick.
  I'm hesistant to do anything based upon the size, because it could
break very easily.

  Maybe I'll write an iptables modules :-)

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list