Discussion:
[strongSwan-dev] Patch proposal: set the replay window only on inbound SA
Emeric POUPON
2016-06-15 14:38:23 UTC
Permalink
Hello,

We have some extension in the FreeBSD kernel that allows the replay window to be quite big (up to several MB).
Since the replay window is not used on outbound SA, I think we could only set it on inbound SA in order to save memory.

What do you think?

Please find attached a simple patch proposal applied on 5.3.2

Emeric
Tobias Brunner
2016-06-15 15:57:27 UTC
Permalink
Hi Emeric,

Thanks for the patch. Seems like [1] would fix this for all kernel
backends that don't know if an SA is inbound or not equally.

A patch for 5.3.2 is attached.

Regards,
Tobias

[1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=13fc4569
Tobias Brunner
2016-06-17 13:50:18 UTC
Permalink
Hi Emeric,
Post by Tobias Brunner
Seems like [1] would fix this for all kernel
backends that don't know if an SA is inbound or not equally.
It's actually problematic on Linux if extended sequence numbers are
used. The kernel rejects the SA if the window is 0 in that case. So I
guess it's easier to disable the replay window for outbound SAs in the
individual kernel plugins.

Regards,
Tobias
Emeric POUPON
2016-06-17 15:07:06 UTC
Permalink
Hello,

Do you known why exactly it is rejected?
Maybe another simple way would be to set the default replay window on outbound SA?

Emeric

----- Original Message -----
From: "Tobias Brunner" <***@strongswan.org>
To: ***@lists.strongswan.org
Sent: Friday, 17 June, 2016 15:50:18
Subject: Re: [strongSwan-dev] Patch proposal: set the replay window only on inbound SA

Hi Emeric,
Post by Tobias Brunner
Seems like [1] would fix this for all kernel
backends that don't know if an SA is inbound or not equally.
It's actually problematic on Linux if extended sequence numbers are
used. The kernel rejects the SA if the window is 0 in that case. So I
guess it's easier to disable the replay window for outbound SAs in the
individual kernel plugins.

Regards,
Tobias

Loading...