From: Herbert Xu <herbert@gondor.apana.org.au>
To: Yury Polyanskiy <ypolyans@princeton.edu>
Cc: netdev@vger.kernel.org, davem@davemloft.net,
peterz@infradead.org, yoshfuji@linux-ipv6.org,
tglx@linutronix.de, mingo@elte.hu
Subject: Re: [PATCH] xfrm: SAD entries do not expire correctly after suspend-resume
Date: Mon, 9 Nov 2009 10:39:10 -0500 [thread overview]
Message-ID: <20091109153910.GA8039@gondor.apana.org.au> (raw)
In-Reply-To: <20091108211249.2ecdfd38@penta.localdomain>
Yury Polyanskiy <ypolyans@princeton.edu> wrote:
>
> This fixes the following bug in the current implementation of
> net/xfrm: SAD entries timeouts do not count the time spent by the machine
> in the suspended state. This leads to the connectivity problems because
> after resuming local machine thinks that the SAD entry is still valid, while
> it has already been expired on the remote server.
>
> The cause of this is very simple: the timeouts in the net/xfrm are bound to
> the old mod_timer() timers. This patch reassigns them to the
> CLOCK_REALTIME hrtimer.
>
> I have been using this version of the patch for a few months on my
> machines without any problems. Also run a few stress tests w/o any
> issues.
>
> This version of the patch uses tasklet_hrtimer by Peter Zijlstra
> (commit 9ba5f0).
>
> This patch is against 2.6.31.4. Please CC me.
>
> Signed-off-by: Yury Polyanskiy <polyanskiy@gmail.com>
Thanks for the patch.
However, I have some reservations as to whether this is the ideal
situation. Unless I'm mistaken, this patch may cause IPsec SAs
to expire if the system clock was out of sync prior to IPsec startup
and is subsequently resynced by ntpdate or similar.
For example, it's quite common for clocks to be out-of-sync by
10 hours in Australia due to time zone issues with BIOS clocks.
So potentially ntpdate could move the clock forward by 10 hours
or more on bootup thus causing IPsec SAs to expire prematurely
with this patch.
This shouldn't really be a problem in itself except that there
are some dodgy IPsec gateways out there that refuse to reestablish
IPsec SAs if the interval between two successive connections is
too small. This could render the SA inoperable for hours.
So the upshot of all this is that we definitely want the effect
of this patch for suspend/resume, but it would be great if we can
avoid it for settimeofday(2).
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2009-11-09 15:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-09 2:12 [PATCH] xfrm: SAD entries do not expire correctly after suspend-resume Yury Polyanskiy
2009-11-09 4:58 ` David Miller
2009-11-09 15:39 ` Herbert Xu [this message]
2009-11-09 18:31 ` Yury Polyanskiy
2009-11-09 19:23 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091109153910.GA8039@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=davem@davemloft.net \
--cc=mingo@elte.hu \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=yoshfuji@linux-ipv6.org \
--cc=ypolyans@princeton.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.