Bug 1383845 - dpdaction=restart causing a delay during which packets leak plaintext
Summary: dpdaction=restart causing a delay during which packets leak plaintext
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1383846
TreeView+ depends on / blocked
 
Reported: 2016-10-12 00:11 UTC by Paul Wouters
Modified: 2018-12-20 17:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1383846 (view as bug list)
Environment:
Last Closed: 2018-12-20 17:30:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Paul Wouters 2016-10-12 00:11:03 UTC 
This action causes a delete + add + initiate, the leak happens between delete and initiate. Apparently this can be 30s

A workaround is to use dpdaction=hold instead of dpdaction=restart

the hold action prevents the delete + add and puts the existing connection/state into initiating mode.
Comment 5 Ondrej Moriš 2018-08-13 14:35:52 UTC 
Paul, isn't this included in 3.25 rebase?
Comment 6 Paul Wouters 2018-08-13 18:13:27 UTC 
No this issue has not been addressed yet. We still recommend not using the dpdaction=restart.

The idea is that a connection with auto=start or that was ipsec auto --up'ed is in a state where it will re-initiate if something happens, such as DPD causing the connection to go into "hold". That is, another mechanism triggers a new initialization of the connection, not dpd code directly.
Comment 7 Paul Wouters 2018-12-20 17:30:26 UTC 
This bug was not fixed in time for RHEL7 and has been moved to RHEL8
Note You need to log in before you can comment on or make changes to this bug.