Emeric POUPON
2018-04-30 11:23:06 UTC
Hello,
I am using FreeBSD and routed connections, and I noticed that charon keeps updating SPs during the CHILD SA rekey process.
netstat -s -p pfkey | grep update -> increasing during each CHILD SA rekey.
I can see things like this in the logs:
Apr 30 11:02:13 15[CHD] <TUNNEL|5> CHILD_SA TUNNEL{84} state change: CREATED => INSTALLING
Apr 30 11:02:13 15[CHD] <TUNNEL|5> using AES_CBC for encryption
Apr 30 11:02:13 15[CHD] <TUNNEL|5> using HMAC_SHA2_256_128 for integrity
Apr 30 11:02:13 15[CHD] <TUNNEL|5> adding inbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5> SPI 0xccc45a9b, src 192.168.56.100 dst 192.168.56.110
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleting SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleted SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> adding SAD entry with SPI ccc45a9b and reqid {4}
Apr 30 11:02:13 15[KNL] <TUNNEL|5> using encryption algorithm AES_CBC with key size 256
Apr 30 11:02:13 15[KNL] <TUNNEL|5> using integrity algorithm HMAC_SHA2_256_128 with key size 256
Apr 30 11:02:13 01[JOB] watched FD 7 ready to read
Apr 30 11:02:13 15[CHD] <TUNNEL|5> registering outbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5> SPI 0xcc124fd9, src 192.168.56.110 dst 192.168.56.100
Apr 30 11:02:13 01[JOB] watcher going to poll() 4 fds
Apr 30 11:02:13 15[KNL] <TUNNEL|5> policy 192.168.100.0/24 === 192.168.110.0/24 in already exists, increasing refcount
Apr 30 11:02:13 15[KNL] <TUNNEL|5> updating policy 192.168.100.0/24 === 192.168.110.0/24 in
Why does charon trigger a SP update in that case? Is there any relevant information to update since the SP are statically routed?
The problem is that there seems to be a race in FreeBSD: the SP is not really updated, it is removed and then a new one is added, and unfortunately this is not atomic.
Therefore some packets may leave using the default policy.
Emeric
I am using FreeBSD and routed connections, and I noticed that charon keeps updating SPs during the CHILD SA rekey process.
netstat -s -p pfkey | grep update -> increasing during each CHILD SA rekey.
I can see things like this in the logs:
Apr 30 11:02:13 15[CHD] <TUNNEL|5> CHILD_SA TUNNEL{84} state change: CREATED => INSTALLING
Apr 30 11:02:13 15[CHD] <TUNNEL|5> using AES_CBC for encryption
Apr 30 11:02:13 15[CHD] <TUNNEL|5> using HMAC_SHA2_256_128 for integrity
Apr 30 11:02:13 15[CHD] <TUNNEL|5> adding inbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5> SPI 0xccc45a9b, src 192.168.56.100 dst 192.168.56.110
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleting SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleted SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> adding SAD entry with SPI ccc45a9b and reqid {4}
Apr 30 11:02:13 15[KNL] <TUNNEL|5> using encryption algorithm AES_CBC with key size 256
Apr 30 11:02:13 15[KNL] <TUNNEL|5> using integrity algorithm HMAC_SHA2_256_128 with key size 256
Apr 30 11:02:13 01[JOB] watched FD 7 ready to read
Apr 30 11:02:13 15[CHD] <TUNNEL|5> registering outbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5> SPI 0xcc124fd9, src 192.168.56.110 dst 192.168.56.100
Apr 30 11:02:13 01[JOB] watcher going to poll() 4 fds
Apr 30 11:02:13 15[KNL] <TUNNEL|5> policy 192.168.100.0/24 === 192.168.110.0/24 in already exists, increasing refcount
Apr 30 11:02:13 15[KNL] <TUNNEL|5> updating policy 192.168.100.0/24 === 192.168.110.0/24 in
Why does charon trigger a SP update in that case? Is there any relevant information to update since the SP are statically routed?
The problem is that there seems to be a race in FreeBSD: the SP is not really updated, it is removed and then a new one is added, and unfortunately this is not atomic.
Therefore some packets may leave using the default policy.
Emeric