Post by Valtteri VuorikoskiPost by Andrew CagneyI forgot to send this during BSDCan
https://www.bsdcan.org/events/bsdcan_2020/schedule/session/40-libreswan-teaching-old-code-new-tricks/
Nice presentation (only looked at the slides so far). Is there something
else missing from NetBSD wrt MOBIKE besides the
SADB_X_EXT_NEW_ADDRESS_SRC/DST bits?
Good question.
I know that the critical thing is a mechanism that stops traffic flow
around the IPsec source/dst addresses change -
SADB_X_EXT_NEW_ADDRESS_SRC/DST sounds sufficient.
However, what also can help is a mechanism for triggering the mobike
exchange. In its absence, a liveness probe will fail triggering a
mobike exchange. I asked antony on #libreswan irc (who did the
original linux work):
<antony> there are two events IP address change RTM_DELADDR RTM_NEWADDR
<antony> there is another one for ESP port change, think of NAT
gateway in the middle rebooting, in Linux it is called XFRMA_MIGRATE
(Libreswan AFIK ignore them for now, strongswan can handle it)
<antony> I think there may be another one for routing change as well.
<antony> all of these could trigger a mobike or local SA update.
Anyway, what troubles me more is the state of BSD's libpfkey -
ipsec-tools is dead. NetBSD's version is in desperate need of some
TLC; FreeBSD has been giving their fork a little too much TLC; and for
all that effort strongswan seems to use their own code.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de