(luckily I occasionally read spam) On Fri, 21 May 2021 at 08:54, Paul Wouters <[email protected]> wrote:
> > commit b6e986fb7181fe6288dbba3fb98832b53aee1415 > Author: Andrew Cagney <[email protected]> > Date: Thu May 20 11:21:33 2021 -0400 > > ikev2: only count empty informational messages as liveness probes > > was including informational messages with notify payloads > > > > This is not correct through. Any informational message can contain > notify payloads. In theory they should all include NAT detection > payloads in case a NAT appeared out of nowhere. > An INFORMATIONAL request with no payloads (other than the empty Encrypted payload required by the syntax) is commonly used as a check for liveness. These subsequent exchanges cannot be used until the initial exchanges have completed. So I think this: /* * Only count empty requests as liveness probes. */ if (md->chain[ISAKMP_NEXT_v2SK]->payload.v2gen.isag_np == ISAKMP_NEXT_NONE) { pstats_ike_dpd_replied++; } is correct. However, to your point, we might as well count what type of payloads (D, N, CP) were in the informational message? > But also, every exchange message that proved it is a new sequence number > counts as "liveness probe". So if a REKEY happens, the "liveness" should > also be updated. > > This is why I filed https://github.com/libreswan/libreswan/issues/446 I'll make the .st_last_liveness update unconditional, which is less wrong than the original code.
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
