[Openswan dev] pending phase2 handling

[Paul Wouters]

On Wed, 9 Feb 2011, atong at TrustedCS.com wrote:

> For private connections (failureshut=drop), when a host attempts to
> send traffic over that connection, if a phase 2 is not established,
> the request will get queued to its phase 1 state.
>
> However, these pending requests will accumulate if the destination
> is unavailable; pluto will keep queuing phase2 requests if the
> host keeps trying to use that connection, as the kernel will
> keep sending acquire events.
>
> The result is a large amount of pending, duplicate phase2 requests,
> and if the phase1 state finally gets established, all these states
> then get processed -- depending on the number of pending requests
> (assuming it doesnt run out of memory first), a potential denial
> of service situation.
>
> For our environment, our approach is to search the pending list
> for the connections host pair in add_pending() and not procede
> with the queuing if a phase2 request already exists.
>
> Any thoughts on this approach?

That approach sounds right, though things are a little more complicated
when the acquires received are slightly different, but meant for the
same tunnel. Especially for tunnels with 0.0.0.0/0. Ideally, you match
not on a hostpair, but on a connection.

We have an outgoing request to the kernel people not to drown us in those
acquires, they should do the lookup and only send ones for different tunnels,
or at least rate limit them with exponential backoff.

I'd be interested in seeing your patch though,

Paul