tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Libreswan
On Mon, 22 Jun 2020 at 14:08, Valtteri Vuorikoski <vuori%notcom.org@localhost> wrote:
>
> Andrew Cagney <andrew.cagney%gmail.com@localhost> writes:
>
> > I forgot to send this during BSDCan
> > https://www.bsdcan.org/events/bsdcan_2020/schedule/session/40-libreswan-teaching-old-code-new-tricks/
>
> Nice presentation (only looked at the slides so far). Is there something
> else missing from NetBSD wrt MOBIKE besides the
> SADB_X_EXT_NEW_ADDRESS_SRC/DST bits?
Good question.
I know that the critical thing is a mechanism that stops traffic flow
around the IPsec source/dst addresses change -
SADB_X_EXT_NEW_ADDRESS_SRC/DST sounds sufficient.
However, what also can help is a mechanism for triggering the mobike
exchange. In its absence, a liveness probe will fail triggering a
mobike exchange. I asked antony on #libreswan irc (who did the
original linux work):
<antony> there are two events IP address change RTM_DELADDR RTM_NEWADDR
<antony> there is another one for ESP port change, think of NAT
gateway in the middle rebooting, in Linux it is called XFRMA_MIGRATE
(Libreswan AFIK ignore them for now, strongswan can handle it)
<antony> I think there may be another one for routing change as well.
<antony> all of these could trigger a mobike or local SA update.
Anyway, what troubles me more is the state of BSD's libpfkey -
ipsec-tools is dead. NetBSD's version is in desperate need of some
TLC; FreeBSD has been giving their fork a little too much TLC; and for
all that effort strongswan seems to use their own code.
> -vuori
>
Home |
Main Index |
Thread Index |
Old Index