Project

General

Profile

Feature #2461

Extended replay window support on FreeBSD

Added by Emeric Poupon about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
libcharon
Target version:
5.6.1
Start date:
07.11.2017
Due date:
Estimated time:
Resolution:
Fixed

Description

Hello,

Since FreeBSD 11.1, it is possible to use a custom PFKEY extension to manage large replay windows (greater than 4k packets)
Please find attached a proposal patch to support this on strongSwan.

patch-extended-replay-window-pfkey (1.89 KB) patch-extended-replay-window-pfkey Emeric Poupon, 07.11.2017 13:37

Related issues

Copied to Bug #2501: Fix extended replay window support on FreeBSD 11.1Closed

Associated revisions

Revision 88a8fba1 (diff)
Added by Tobias Brunner about 3 years ago

kernel-pfkey: Support anti-replay windows > 2k

FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.

Fixes #2461.

History

#1 Updated by Tobias Brunner about 3 years ago

  • Status changed from New to Feedback
  • Target version set to 5.6.1

Since FreeBSD 11.1, it is possible to use a custom PFKEY extension to manage large replay windows (greater than 4k packets)

The maximum is currently actually 2040 (255 * 8).

Please find attached a proposal patch to support this on strongSwan.

I don't think it's necessary to add a configure check. And making this conditional is also not really necessary (the value in the extension will just overwrite whatever is set in sadb_sa_replay). I pushed this to the 2461-pfkey-replay branch.

#2 Updated by Emeric Poupon about 3 years ago

The maximum is currently actually 2040 (255 * 8)

Indeed :)

Please find attached a proposal patch to support this on strongSwan.

I don't think it's necessary to add a configure check. And making this conditional is also not really necessary (the value in the extension will just overwrite whatever is set in sadb_sa_replay). I pushed this to the 2461-pfkey-replay branch.

Indeed that works fine this way, thanks for integrating this!

#3 Updated by Tobias Brunner about 3 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Please find attached a proposal patch to support this on strongSwan.

I don't think it's necessary to add a configure check. And making this conditional is also not really necessary (the value in the extension will just overwrite whatever is set in sadb_sa_replay). I pushed this to the 2461-pfkey-replay branch.

Indeed that works fine this way, thanks for integrating this!

No problem. Thanks for bringing it to our attention.

#4 Updated by Tobias Brunner about 3 years ago

  • Copied to Bug #2501: Fix extended replay window support on FreeBSD 11.1 added

Also available in: Atom PDF