From: Aidas Kasparas <a.kasparas@gmc.lt>
To: hadi@cyberus.ca
Cc: ipsec-tools-devel@lists.sourceforge.net, netdev@oss.sgi.com,
nakam@linux-ipv6.org
Subject: Re: IPSEC: on behavior of acquire
Date: Sat, 02 Apr 2005 10:10:05 +0300 [thread overview]
Message-ID: <424E454D.4090402@gmc.lt> (raw)
In-Reply-To: <1112405303.1096.37.camel@jzny.localdomain>
jamal wrote:
> test1)on one window run setkey -x:
>
> ping -c 1 someDST
>
> -1) packet arrives towards outbound
> 0) Larval state created
> 1) one acquire sent.
> 2) timeout.
> 3) packet dropped. -ESRCH returned.
> 4) larval state deleted
>
> So question 1): Shouldnt the return code be -ERESTART to ask
> the app to retry?
> question 2) Why is there a hardcoding of 1 try only?
Re 1 try only. There is little sense to do more tries. If there is no
deamon listening to pfkey messages, then no connection will be made no
matter how many retries you'll do. If deamon/link/peer is slow and SA
was not established before timeout expired, then repeated acquire will
be simply ignored (deamon will find out that negotiation is already in
progress, there is no reason to start another negotiation and therefore
will drop that acquire request). And the only situation where repeated
acquires may help is when pfkey messages are lost. But pfkey was not
designed to survive message loses, therefore you should not operate your
boxes in mode when lost pfkey messages are a rule, not an exception. And
on the other hand, occasional pfkey message loses can be worked around
by applications/user retry.
Re error code returned. Error codes returned by pfkey never were
perfect. But your experiment is not perfect too. You sent pings with no
KE deamon running. pfkey code found that there is nothing receiving
acquire messages => there is no chance that any process will setup
required SAs and tried to inform about that (I agree, return code is not
very informative, at least until you learn about reasons why it is
such). If you would have racoon (or other pfkey based ISAKMP daemon)
running, you would get "resource temporarily unavailable" (don't know
which error code corresponds to that message), which IMHO is ok (if it
is not, please explain).
Re netlink behaviour I can not comment as I don't use it for ipsec
purposes, but would like to read similar explanation. Reason for that -
idea that ipsec-tools one day could support operation via netlink is not
ruled out of our minds. Yet, afaik nobody is working on it at the moment.
--
Aidas Kasparas
IT administrator
GM Consult Group, UAB
next parent reply other threads:[~2005-04-02 7:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1112405303.1096.37.camel@jzny.localdomain>
2005-04-02 7:10 ` Aidas Kasparas [this message]
2005-04-02 12:25 ` [Ipsec-tools-devel] Re: IPSEC: on behavior of acquire Zilvinas Valinskas
2005-04-02 21:28 ` jamal
2005-04-03 8:28 ` Aidas Kasparas
2005-04-03 14:29 ` jamal
2005-04-03 22:02 ` Aidas Kasparas
2005-04-04 12:33 ` [Ipsec-tools-devel] " jamal
2005-04-04 12:59 ` Aidas Kasparas
2005-04-04 13:09 ` jamal
2005-04-04 14:20 ` Aidas Kasparas
2005-04-02 1:25 jamal
2005-04-02 2:12 ` Herbert Xu
2005-04-02 14:00 ` Alexey Kuznetsov
2005-04-02 21:42 ` jamal
2005-04-02 21:52 ` Thomas Graf
2005-04-03 15:52 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=424E454D.4090402@gmc.lt \
--to=a.kasparas@gmc.lt \
--cc=hadi@cyberus.ca \
--cc=ipsec-tools-devel@lists.sourceforge.net \
--cc=nakam@linux-ipv6.org \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).