[Openswan dev] Phase 2 Negotiation Reliability
Michael Richardson
mcr at sandelman.ottawa.on.ca
Fri Sep 17 13:23:56 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
>> Upon receiption of such a notify, look up each SPI# and see if we
>> are using it. If we are *not* using it then send a delete.
Herbert> Yes that sounds like a good way to do it.
>> I was also thinking ... why is it that message 2 of the phase 2
>> isn't getting retransmitted longer when message 3 gets lost. The
>> original thread had some comments from about only 3
>> retransmits...
Herbert> Message 2 is sent by the responder who cannot retry
Herbert> indefinitely. In IKEv2 each transaction is initiated by
Herbert> the initiator who can retry indefinitely or give up.
Herbert> The problem is exacerbated by the fact that openswan only
Herbert> retries 3 times. In our case we extended this to 20 times
Herbert> and it's worked around the problem for now.
I think that this is a good patch in general.
Did you just increase MAXIMUM_RETRANSMISSIONS in include/pluto_constants.h?
I'm thinking that the state structure should have a maximum field,
which could be initialized to different values.
Do you think this useful in general?
I.e. there are states when we want to try harder?
Thinking about OE, the responder could take a long time to do DNS
lookups, and we might well expire retransmits on that. I don't think
I've ever seen that happen.
>> Can anyone suggest any netfilter modules that might help to build
>> a test case? I.e. something that will drop the first n-packets of
>> a stream. Or maybe I should use QoS for that.
Herbert> You just need a rule that drops the last message in QM.
Herbert> Something based on the size of the message should do the
Herbert> trick.
I'm hesistant to do anything based upon the size, because it could
break very easily.
Maybe I'll write an iptables modules :-)
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQUsPmoqHRg3pndX9AQHtKAQAtR7TnmflW4+t+IfHumtSmtW/GREdUbEh
Sih1evDLoHH5Kfdm5pQszi48Fe6t2ngQb+QPPOv8S+u5UjbK2qO/wHCezfuxJxRW
++az/WQNTYbEztYEDDzTOxMjIHntK3aAF85Lqdmm4vOx+mbgtyDCtgkTbJ6TTgZV
pPyLnTkSUNk=
=M6K+
-----END PGP SIGNATURE-----
More information about the Dev
mailing list