Bug 1734060 - libreswan false positive on duplicate acquires leads to ignored IKE requests and packet loss [NEEDINFO]
Summary: libreswan false positive on duplicate acquires leads to ignored IKE requests ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.7
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 1734058
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 14:34 UTC by Paul Wouters
Modified: 2019-11-07 13:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1734058
Environment:
Last Closed:
Target Upstream Version:
tjaros: needinfo? (pwouters)


Attachments (Terms of Use)

Description Paul Wouters 2019-07-29 14:34:55 UTC
+++ This bug was initially created as a clone of Bug #1734058 +++

There are some (as of yet unknown) scenario's where pluto receives a kernel ACQUIRE for which it already detects it has a valid STATE object. Thus, it interprets these as a "duplicate acquire" and no action is taken. However, the state found does not belong to a valid IPsec SA, and so the tunnel is down and cannot be started because it is deemed up based on the "duplicate" check.

When this happens, packets are dropped for a lack of IPsec SA - or leaked in the clear, depending on whether this was a "private" or "private-or-clear" group state.


Note You need to log in before you can comment on or make changes to this bug.