[RFC] IPSEC failover and replay detection sequence numbers

To:	netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx, vpn-failover@xxxxxxxxxxxxxxxx
Subject:	[RFC] IPSEC failover and replay detection sequence numbers
From:	KOVACS Krisztian <hidden@xxxxxxxxxx>
Date:	Fri, 29 Oct 2004 12:23:56 +0200
Sender:	netdev-bounce@xxxxxxxxxxx

  Hi,

  While developing an IPSEC failover solution we came to a problem of
replay detection sequence numbers used by IPSEC ESP and AH. To be able
to keep IPSEC SAs alive after a failing over to a slave, the state of
the SAs has to be available on the slave node(s) as well. Except for the
sequence numbers this is not really a problem, since the state of an
already established SA does not change too often.

  However, currently getting or setting the replay detection state of an
SA is not possible. Unfortunately the ability to get/set the replay
detection sequence number is not enough, it would be great if the key
management daemon could get state change notifications in certain cases.

  The attached patch is an implementation of the concept, and consists
of the following parts:

      * xfrm_state replay detection notification facility: calls the
        registered callback functions if:
              * the input/output sequence number is at least the value
                sent in the last notification plus N
              * at least T jiffies has elapsed since the last
                notification and the sequence numbers have changed since
                then
      * the PFKEY implementation of the callback: sends notify pfkey
        messages (new message type)
      * the PFKEY extensions needed to get/set the parameters of the
        notification messages (N and T) (new extension header)
      * a new PFKEY message to explicitly set the replay detection state
        of an already established SA (new message type)

  As there are a couple of PFKEY changes which could possibly break
compatibility, I tried to implement these extensions so that they are
completely invisible unless the user-space explicitly requests
notifications to be sent. Both N and T parameters of a new SA default to
zero, and notification-related extension headers are sent only if these
were explicitly set to a non-zero value.

  The xfrm-netlink parts are completely missing, but could be added
easily. The corresponding libipsec changes should be trivial as well.

  Comments are welcome, especially since this is the first public
release of the patch and I'm not much of an xfrm/pfkey expert... :)

-- 
 Regards,
   Krisztian KOVACS

ipsec_rd_notify_200410251031.patch
Description: Text Data

<Prev in Thread]	Current Thread	[Next in Thread>
[RFC] IPSEC failover and replay detection sequence numbers, KOVACS Krisztian <= Re: [RFC] IPSEC failover and replay detection sequence numbers, jamal Re: [RFC] IPSEC failover and replay detection sequence numbers, KOVACS Krisztian Re: [RFC] IPSEC failover and replay detection sequence numbers, jamal Re: [RFC] IPSEC failover and replay detection sequence numbers, KOVACS Krisztian

Previous by Date:	[RESEND 1/6] PKT_SCHED: Add generic classifier routines, Thomas Graf
Next by Date:	[PATCH 7/6] cls_fw: CONFIG_NET_CLS_IND is not dependant on CONFIG_NET_CLS_ACT, Thomas Graf
Previous by Thread:	[RFC][PATCH 0/3] net: generic netdev_ioaddr, Pekka Enberg
Next by Thread:	Re: [RFC] IPSEC failover and replay detection sequence numbers, jamal
Indexes:	[Date] [Thread] [Top] [All Lists]