[Openswan dev] pending phase2 handling

[atong at TrustedCS.com]

Hi,

Environment: rhel5.x openswan2.4.x, rhel6 openswan 2.6.32 ikev1.

For private connections (failureshut=drop), when a host attempts to
send traffic over that connection, if a phase 2 is not established,
the request will get queued to its phase 1 state.

However, these pending requests will accumulate if the destination
is unavailable; pluto will keep queuing phase2 requests if the
host keeps trying to use that connection, as the kernel will 
keep sending acquire events.

The result is a large amount of pending, duplicate phase2 requests,
and if the phase1 state finally gets established, all these states
then get processed -- depending on the number of pending requests
(assuming it doesnt run out of memory first), a potential denial
of service situation.

For our environment, our approach is to search the pending list
for the connections host pair in add_pending() and not procede
with the queuing if a phase2 request already exists.

Any thoughts on this approach?

-at