Limit multiple/duplicate child SA negotiation per IKE SA on server (responder) #1725
Replies: 2 comments 4 replies
-
In what situations do they do so? You might want to investigate and prevent these duplicates in the first place. While there are some (mis-)configurations that are known to potentially trigger duplicates, they should still be considered out of the ordinary.
No.
But it's quite restrictive. In general, there are reasons for having multiple CHILD_SAs per IKE_SA (not duplicates).
There is some (very old) code in the child-duplicates-replace branch that also deletes duplicates as responder. I'm not sure what the current state of this is exactly, but I guess we could implement something similar that reuses some of the current de-duplication code. |
Beta Was this translation helpful? Give feedback.
-
This is reproducible by initiating via the same child SA configuration multiple times (i.e. sudo swanctl --initiate --child ikev2-vpn-child-0) with dpd_action and/or close_action set to start with code prior to 5.9.6 because of the lack of the duplicate check which was added in 5.9.6.
Understood that IKEv2 allows multiple child SAs with or without the same selectors but this would be a knob that is disabled by default and implementations that only support a single child SA or would like to limit the number of child SAs allowed, in general, for a single IKE SA can configure.
I reviewed the code you pointed out and seems like a viable solution to handle duplicates based on child SA configurations and looks like it would definitely allow us to avoid accepting duplicates on the responder also. I’ll attempt to resurrect the code and apply it to the latest code and see if this would be viable to accept into the code with your review. |
Beta Was this translation helpful? Give feedback.
-
In 5.9.6, checks were added as noted in the release notes for IKEv2 as 'Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented.' This has proven to prevent Strongswan 5.9.6+ code from initiating duplicates based on our testing.
However, for a server running Strongswan, it leaves the server vulnerable to clients running older code that will continue to initiate duplicate child SAs. It would be desirable to block duplicates and ideally control the number of child SAs allowed per IKE SA in general. Also, ideally, we would like to be able to only support a single child SA per IKE SA based on our use case and custom kernel support.
Questions:
There doesn't seem to be a way to configure Strongswan to limit the number of child SAs per IKE SA? Is there a way to control this?
We have looked into checking and blocking from the kernel-ipsec plugin add_sa() call but there isn’t enough context provided to reliably reject adding only multiple/duplicate child SAs since it could be the first child SA or a child SA rekey
We have implemented a change in child create process/build code to check and reject additional child SAs based on configuration. We would like to push this change if possible unless there are alternatives you could suggest please. Thoughts on pushing such a change
Beta Was this translation helpful? Give feedback.
All reactions