Merge branch 'avoid-rekey-loss'

This changes the behavior during IKEv2 CHILD_SA rekeyings to avoid
traffic loss.  When responding to a CREATE_CHILD_SA request to rekey a
CHILD_SA the responder already has everything available to install and
use the new CHILD_SA.  However, this could lead to lost traffic as the
initiator won't be able to process inbound packets until it processed the
CREATE_CHILD_SA response and updated the inbound SA.  To avoid this the
responder now only installs the new inbound SA and delays installing the
outbound SA until it receives the DELETE for the replaced CHILD_SA.  The
messages transporting these DELETEs could reach the peer before packets
sent with the deleted outbound SAs reach the respective peer.  To reduce
the chance of traffic loss due to this the inbound SA of the replaced
CHILD_SA is not removed for a configurable amount of seconds after
the DELETE has been processed.

Fixes #1291.

1 files changed, 9 insertions, 2 deletions

diff --git a/src/libcharon/tests/utils/mock_ipsec.h b/src/libcharon/tests/utils/mock_ipsec.h
index cbf21524a..95038a561 100644
--- a/src/libcharon/tests/utils/mock_ipsec.h
+++ b/src/libcharon/tests/utils/mock_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2017 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
 
 /**
  * kernel_ipsec_t implementation used for exchange unit tests.  Currently
- * returns sequential SPIs, all other methods are noops.
+ * returns sequential SPIs, and keeps track of installed SAs.
  *
  * @defgroup mock_ipsec mock_ipsec
  * @{ @ingroup test_utils_c
@@ -33,4 +33,11 @@
  */
 kernel_ipsec_t *mock_ipsec_create();
 
+/**
+ * Enumerate the installed SAs
+ *
+ * @return		enumerator over (ike_sa_t*, uint32_t)
+ */
+enumerator_t *mock_ipsec_create_sa_enumerator();
+
 #endif /** MOCK_IPSEC_H_ @}*/