Discussion:
[strongSwan-dev] Packet loss during rekey
Emeric POUPON
2016-10-14 12:52:12 UTC
Permalink
Hello,

About this issue: https://wiki.strongswan.org/issues/1291

I would like that someone of the team team tells me the work that would be required to properly fix this issue?
As far as I understand it looks quite complicated but I would known how much effort it requires.

Best Regards,

Emeric
Tobias Brunner
2017-04-21 06:29:21 UTC
Permalink
Hi Emeric,
Post by Emeric POUPON
About this issue: https://wiki.strongswan.org/issues/1291
In case you (or anybody else interested in this) haven't seen it yet,
I've implemented some changes that try to address this, see the latest
update to the issue above.

Regards,
Tobias
Emeric POUPON
2017-04-21 06:52:32 UTC
Permalink
Hello,

Thanks for your support!

Do you plan to merge your dev in the main branch, or do you require our feedback first?

Regards,
Emeric

----- Original Message -----
From: "Tobias Brunner" <***@strongswan.org>
To: "Emeric POUPON" <***@stormshield.eu>, ***@lists.strongswan.org
Sent: Friday, 21 April, 2017 08:29:21
Subject: Re: [strongSwan-dev] Packet loss during rekey

Hi Emeric,
Post by Emeric POUPON
About this issue: https://wiki.strongswan.org/issues/1291
In case you (or anybody else interested in this) haven't seen it yet,
I've implemented some changes that try to address this, see the latest
update to the issue above.

Regards,
Tobias
Tobias Brunner
2017-04-21 07:17:16 UTC
Permalink
Hi Emeric,
Post by Emeric POUPON
Do you plan to merge your dev in the main branch, or do you require our feedback first?
I'd really like some feedback first. Because the code is practically
untested (besides the unit tests). Our regression tests currently also
don't include any rekeying scenarios.

Regards,
Tobias
Emeric POUPON
2017-04-21 15:55:14 UTC
Permalink
Hi,

So far it seems to work as expected. I have launched some tests over this weekend to check the stability.
I will check the actual packet loss next week.

Emeric

----- Original Message -----
Sent: Friday, 21 April, 2017 09:17:16
Subject: Re: [strongSwan-dev] Packet loss during rekey
Hi Emeric,
Post by Emeric POUPON
Do you plan to merge your dev in the main branch, or do you require our feedback first?
I'd really like some feedback first. Because the code is practically
untested (besides the unit tests). Our regression tests currently also
don't include any rekeying scenarios.
Regards,
Tobias
Emeric POUPON
2017-04-25 09:16:15 UTC
Permalink
Hello,

It seems there is no more packet loss during the CHILD SA rekeying.
However, I noticed some drop during the IKE SA reauthentication, depsite the make_before_break option set to yes.

Is that the expected behavior?

Regards,
Emeric


----- Original Message -----
From: "Emeric POUPON" <***@stormshield.eu>
To: "Tobias Brunner" <***@strongswan.org>
Cc: ***@lists.strongswan.org
Sent: Friday, 21 April, 2017 17:55:14
Subject: Re: [strongSwan-dev] Packet loss during rekey

Hi,

So far it seems to work as expected. I have launched some tests over this weekend to check the stability.
I will check the actual packet loss next week.

Emeric

----- Original Message -----
Sent: Friday, 21 April, 2017 09:17:16
Subject: Re: [strongSwan-dev] Packet loss during rekey
Hi Emeric,
Post by Emeric POUPON
Do you plan to merge your dev in the main branch, or do you require our feedback first?
I'd really like some feedback first. Because the code is practically
untested (besides the unit tests). Our regression tests currently also
don't include any rekeying scenarios.
Regards,
Tobias
_______________________________________________
Dev mailing list
***@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
Tobias Brunner
2017-04-25 09:42:24 UTC
Permalink
Hi Emeric,
Post by Emeric POUPON
It seems there is no more packet loss during the CHILD SA rekeying.
Thanks for the tests.
Post by Emeric POUPON
However, I noticed some drop during the IKE SA reauthentication, depsite the make_before_break option set to yes.
Is that the expected behavior?
I guess, I didn't change anything regarding reauthentication. It's also
not that easy as the new IKE_SA that's built during a reauthentication
has no relationship to the existing one (like the two or more IKE_SAs
during a rekeying do), so synchronizing the uninstallation/destruction
of the associated CHILD_SAs is not really possible. It's similar to
when an SA is first established, the responder is able to send ESP
packets before the initiator can actually process them. This could only
be "resolved" by delaying the installation of the outbound SA on the
responder for a while after it responded to the IKE_AUTH (or
CREATE_CHILD_SA) message. But even then, the response could get lost or
delayed and the responder might still install the SA before the
initiator installed its inbound SA. During a reauthentication the same
thing occurs, i.e. the responder will install a new outbound SA with the
new IKE_SA and use it before the initiator installs the new inbound SA
when it receives the IKE_AUTH response.

Regards,
Tobias

Loading...