aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2017-05-23 18:49:13 +0200
committerTobias Brunner <tobias@strongswan.org>2017-05-23 18:49:13 +0200
commitf8eb636e701cc66198bfab9e601842273b038219 (patch)
tree4e4d7b800c93c1c479f153784a996a434f192d7c /src/libcharon/plugins/kernel_iph/kernel_iph_net.c
parent4cc77142e0292d5d00f20e62849139f4401895c8 (diff)
parent10c7a668067b2657e8dffef70812d81b6408f12c (diff)
downloadstrongswan-f8eb636e701cc66198bfab9e601842273b038219.tar.bz2
strongswan-f8eb636e701cc66198bfab9e601842273b038219.tar.xz
Merge branch 'avoid-rekey-loss'
This changes the behavior during IKEv2 CHILD_SA rekeyings to avoid traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA the responder already has everything available to install and use the new CHILD_SA. However, this could lead to lost traffic as the initiator won't be able to process inbound packets until it processed the CREATE_CHILD_SA response and updated the inbound SA. To avoid this the responder now only installs the new inbound SA and delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. The messages transporting these DELETEs could reach the peer before packets sent with the deleted outbound SAs reach the respective peer. To reduce the chance of traffic loss due to this the inbound SA of the replaced CHILD_SA is not removed for a configurable amount of seconds after the DELETE has been processed. Fixes #1291.
Diffstat (limited to 'src/libcharon/plugins/kernel_iph/kernel_iph_net.c')
0 files changed, 0 insertions, 0 deletions