Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-2934

check for activated libreswan connections is not robust enough

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • ovs-dpdk
    • None
    • check for activated libreswan connections is not robust enough
    • 8
    • False
    • False
    • Hide

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given an established IPsec tunnel between two OVS hosts with both IKE SA and Child SA active,

      When the Child SA is manually deleted while the IKE SA remains intact,

      Then ovs-monitor-ipsec automatically detects the missing Child SA and re-establishes the IPsec connection without manual intervention.

      ( ) The epics work is available in a downstream build (nightly/Async or other)

      ( ) All cards under the epic have been moved to Done

      Show
      Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given an established IPsec tunnel between two OVS hosts with both IKE SA and Child SA active, When the Child SA is manually deleted while the IKE SA remains intact, Then ovs-monitor-ipsec automatically detects the missing Child SA and re-establishes the IPsec connection without manual intervention. ( ) The epics work is available in a downstream build (nightly/Async or other) ( ) All cards under the epic have been moved to Done
    • rhel-10
    • None
    • rhel-net-ovs-dpdk
    • 67% To Do, 0% In Progress, 33% Done
    • ssg_networking

      This epic tracks all the effort needed to deliver the solution related to the bug described below.

      Problem Description:

      Issue is descirbed in https://github.com/openvswitch/ovs-issues/issues/374

      Impact Assessment: 

      Under specific conditions it might happen that one side of the connection ends up with IKE SA without corresponding Child SA. Such situation can be fixed by reconciliation but it will not happen because the current check for activated connections is checking any SA instead of Child SA and hence it will be satisfied by having IKE SA created.

       

      Fortunately, this problem can be easily mitigated since it is easy to distinguish between IKE SA and Child SA in the output that is used in the check.

      Software Versions: 

      All current versions of openvswitch

      Issue Type:

      New issue.

      Reproducibility: 

      It can be reproduced reliably.

      Reproduction Steps:

      Delete Child SA and keep IKE SA.

      Expected Behavior:

      Once Child SA is missing reconciliation should happen regardless of having IKE SA still active.

      Observed Behavior:

      Having any SA (either IKE SA or Child SA) is consideres as having active ipsec connection.

      Troubleshooting Actions: 

      N/A

      Additional Information:

      This is relevant for RHEL-9 as well.

       

       

              ovsdpdk-bot ovsdpdk bot
              omoris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: