small correction , strongswan call *expire* not migrate

On Fri, 2 Apr 2021 at 15:07, Venumadhav Josyula via lists.fd.io <vjosyula=
gmail....@lists.fd.io> wrote:

> Hi Benoit,
>
> Strongswan keeps track  for whatever is required but kernel feeds the
> relevant information via events.
>
> For *child sa*, in the kernel world, it is kernel which XFRM_EXPIRE
> message via netlink. The strongswan is listening of netlink events for the
> same. When it receives events from the kernel it processes expire and calls
> the relevant 'charon->kernel->migrate'.
>
> Please note i am only talking about child sa rekey where kernel send
> events, for IKE SA rekey the strongswan works on timer basis.
>
> Thanks,
> Regards,
> Venu
>
> On Fri, 2 Apr 2021 at 14:35, Benoit Ganne (bganne) <bga...@cisco.com>
> wrote:
>
>> Hi Venu,
>>
>> I am not familiar with the kernel-vpp plugin you mention, however if I
>> understand correctly your question is how strongSwan can know it must
>> trigger a rekey because of time expiration or max bytes transferred?
>> VPP IPsec does not manage SA lifetimes by itself, it is the
>> responsibility of strongSwan (or any other IKE stack). strongSwan can keep
>> track of time by itself, and regarding the max bytes limit, VPP exposes
>> per-SA bytes counters, so strongSwan should poll those counters
>> periodically and trigger a rekey if needed.
>> Also, VPP comes with its own IKEv2 implementation (which does support
>> lifetime management), you can find examples here:
>> https://gerrit.fd.io/r/c/vpp/+/31414
>>
>> Best
>> ben
>>
>> > -----Original Message-----
>> > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Venumadhav
>> > Josyula
>> > Sent: jeudi 1 avril 2021 18:05
>> > To: vpp-dev <vpp-dev@lists.fd.io>
>> > Subject: [vpp-dev] child sa rekey
>> >
>> > Hi Vpp Ipsec Experts,
>> >
>> > I wanted to understand how child sa rekey ( lifetime) are handled in
>> vpp.
>> > i)   We are using strongswan + kernel-vpp plugin for our ikev2 exchange.
>> > ii)  Now we are facing the issue child sa rekey, the problem child sa
>> > rekey is not getting triggered. I understand, the strongswan needs to
>> > trigger this. We triggered manually it works, but timeout of lifetime
>> does
>> > not work. Please also note there is no issue with IKE SA rekey timeout
>> > expiry.
>> > iii) for ii) in the kernel world  while adding as these parameters such
>> > lifetime are passed. And it is the kernel that triggers child sa rekey
>> on
>> > hard timer expiry.
>> > iv) How do we pass these parameter lifetime cfg to the vpp, is it
>> handled
>> > or not handled.
>> >
>> > Please note we are using the vpp 20.09 release version for the same.
>> >
>> > Thank and regards
>> > Venu
>>
>
> 
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19098): https://lists.fd.io/g/vpp-dev/message/19098
Mute This Topic: https://lists.fd.io/mt/81780992/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to