[Openswan dev] pending phase2 handling
atong at TrustedCS.com
atong at TrustedCS.com
Thu Feb 10 15:41:54 EST 2011
On Wed, Feb 09, 2011 at 05:08:06PM -0500, Paul Wouters wrote:
> On Wed, 9 Feb 2011, atong at TrustedCS.com wrote:
> >For our environment, our approach is to search the pending list for
> >the connections host pair in add_pending() and not procede with the
> >queuing if a phase2 request already exists.
> >
> >Any thoughts on this approach?
>
> That approach sounds right, though things are a little more
> complicated when the acquires received are slightly different, but
> meant for the same tunnel. Especially for tunnels with 0.0.0.0/0.
> Ideally, you match not on a hostpair, but on a connection.
We do have some 0.0.0.0/0 cases in use. I am checking the connection,
its isakmp_sa (which I dont think I need to .. but at the time I
did just to be safe).
> We have an outgoing request to the kernel people not to drown us in
> those acquires, they should do the lookup and only send ones for
> different tunnels, or at least rate limit them with exponential
> backoff.
I'm not up to date on the kernel side, so this is from observation
only. It has a reasonable timeout for sending acquires; for example
it's not going to send multiple acquires for a tcp connection attempt.
> I'd be interested in seeing your patch though,
Just a cavaet this is a quick port+test to 2.6.x, from a 2.4.x build
which is much better tested.
-anthony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pending.patch
Type: application/octet-stream
Size: 895 bytes
Desc: pending.patch
Url : http://lists.openswan.org/pipermail/dev/attachments/20110210/1aa9ad0c/attachment.obj
More information about the Dev
mailing list