ikev1: Allow immediate deletion of rekeyed CHILD_SAs

When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached.  In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA.  This may result in a very large number of
stale CHILD_SAs and kernel states.  With enough connections configured this
will ultimately exhaust the memory of the system.

This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.

Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index a4e03d4af368be48d054aa4319e198b293038e16..38200364447229b7f339c5dfb162189a17817934 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -61,6 +61,14 @@ charon.crypto_test.required = no
 charon.crypto_test.rng_true = no
        Whether to test RNG with TRUE quality; requires a lot of entropy.
 
+charon.delete_rekeyed = no
+       Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+
+       Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+       Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
+       However, this might cause problems with implementations that continue to
+       use rekeyed SAs until they expire.
+
 charon.dh_exponent_ansi_x9_42 = yes
        Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
        strength.

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e7d26443b02babfd62078a8ac6487ca85a260035..b4fe046637af67864dc9744c35378d695294f37c 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -170,6 +170,11 @@ struct private_quick_mode_t {
         */
        u_int32_t rekey;
 
+       /**
+        * Delete old child after successful rekey
+        */
+       bool delete;
+
        /**
         * Negotiated mode, tunnel or transport
         */
@@ -406,8 +411,17 @@ static bool install(private_quick_mode_t *this)
        if (old)
        {
                charon->bus->child_rekey(charon->bus, old, this->child_sa);
-               /* rekeyed CHILD_SAs stay installed until they expire */
+               /* rekeyed CHILD_SAs stay installed until they expire or are deleted
+                * by the other peer */
                old->set_state(old, CHILD_REKEYED);
+               /* as initiator we delete the CHILD_SA if configured to do so */
+               if (this->initiator && this->delete)
+               {
+                       this->ike_sa->queue_task(this->ike_sa,
+                               (task_t*)quick_delete_create(this->ike_sa,
+                                                               this->proposal->get_protocol(this->proposal),
+                                                               this->rekey, TRUE, FALSE));
+               }
        }
        else
        {
@@ -1450,6 +1464,8 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
                .tsi = tsi ? tsi->clone(tsi) : NULL,
                .tsr = tsr ? tsr->clone(tsr) : NULL,
                .proto = PROTO_ESP,
+               .delete = lib->settings->get_bool(lib->settings,
+                                                                                 "%s.delete_rekeyed", FALSE, lib->ns),
        );
 
        if (config)