€•PoŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ-/translations/zh_CN/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/zh_TW/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/it_IT/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/ja_JP/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/ko_KR/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/sp_SP/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1h¡hhhžhhŸŒG/var/lib/git/docbuild/linux/Documentation/networking/xfrm/xfrm_sync.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ XFRM sync”h]”hŒ XFRM sync”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ paragraph”“”)”}”(hŒ”The sync patches work is based on initial patches from Krisztian and others and additional patches from Jamal .”h]”(hŒBThe sync patches work is based on initial patches from Krisztian <”…””}”(hhËhžhhŸNh NubhŒ reference”“”)”}”(hŒhidden@balabit.hu”h]”hŒhidden@balabit.hu”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hidden@balabit.hu”uh1hÓhhËubhŒ0> and others and additional patches from Jamal <”…””}”(hhËhžhhŸNh NubhÔ)”}”(hŒhadi@cyberus.ca”h]”hŒhadi@cyberus.ca”…””}”(hhéhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hadi@cyberus.ca”uh1hÓhhËubhŒ>.”…””}”(hhËhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX,The end goal for syncing is to be able to insert attributes + generate events so that the SA can be safely moved from one machine to another for HA purposes. The idea is to synchronize the SA so that the takeover machine can do the processing of the SA as accurate as possible if it has access to it.”h]”hX,The end goal for syncing is to be able to insert attributes + generate events so that the SA can be safely moved from one machine to another for HA purposes. The idea is to synchronize the SA so that the takeover machine can do the processing of the SA as accurate as possible if it has access to it.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hh¶hžhubhÊ)”}”(hX6We already have the ability to generate SA add/del/upd events. These patches add ability to sync and have accurate lifetime byte (to ensure proper decay of SAs) and replay counters to avoid replay attacks with as minimal loss at failover time. This way a backup stays as closely up-to-date as an active member.”h]”hX6We already have the ability to generate SA add/del/upd events. These patches add ability to sync and have accurate lifetime byte (to ensure proper decay of SAs) and replay counters to avoid replay attacks with as minimal loss at failover time. This way a backup stays as closely up-to-date as an active member.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hXŠBecause the above items change for every packet the SA receives, it is possible for a lot of the events to be generated. For this reason, we also add a nagle-like algorithm to restrict the events. i.e we are going to set thresholds to say "let me know if the replay sequence threshold is reached or 10 secs have passed" These thresholds are set system-wide via sysctls or can be updated per SA.”h]”hXŽBecause the above items change for every packet the SA receives, it is possible for a lot of the events to be generated. For this reason, we also add a nagle-like algorithm to restrict the events. i.e we are going to set thresholds to say “let me know if the replay sequence threshold is reached or 10 secs have passed†These thresholds are set system-wide via sysctls or can be updated per SA.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX7The identified items that need to be synchronized are: - the lifetime byte counter note that: lifetime time limit is not important if you assume the failover machine is known ahead of time since the decay of the time countdown is not driven by packet arrival. - the replay sequence for both inbound and outbound”h]”hX7The identified items that need to be synchronized are: - the lifetime byte counter note that: lifetime time limit is not important if you assume the failover machine is known ahead of time since the decay of the time countdown is not driven by packet arrival. - the replay sequence for both inbound and outbound”…””}”(hj-hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒ1) Message Structure”h]”hŒ1) Message Structure”…””}”(hj>hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj;hžhhŸh³h K'ubhÊ)”}”(hŒ!nlmsghdr:aevent_id:optional-TLVs.”h]”hŒ!nlmsghdr:aevent_id:optional-TLVs.”…””}”(hjLhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K)hj;hžhubhÊ)”}”(hŒThe netlink message types are:”h]”hŒThe netlink message types are:”…””}”(hjZhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K+hj;hžhubhÊ)”}”(hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”h]”hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”…””}”(hjhhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K-hj;hžhubhÊ)”}”(hŒ$A XFRM_MSG_GETAE does not have TLVs.”h]”hŒ$A XFRM_MSG_GETAE does not have TLVs.”…””}”(hjvhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K/hj;hžhubhÊ)”}”(hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is discussed further below).”h]”hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is discussed further below).”…””}”(hj„hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K1hj;hžhubhÊ)”}”(hŒ aevent_id structure looks like::”h]”hŒaevent_id structure looks like:”…””}”(hj’hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K4hj;hžhubhŒ literal_block”“”)”}”(hŒÞstruct xfrm_aevent_id { struct xfrm_usersa_id sa_id; xfrm_address_t saddr; __u32 flags; __u32 reqid; };”h]”hŒÞstruct xfrm_aevent_id { struct xfrm_usersa_id sa_id; xfrm_address_t saddr; __u32 flags; __u32 reqid; };”…””}”hj¢sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j hŸh³h K6hj;hžhubhÊ)”}”(hŒRThe unique SA is identified by the combination of xfrm_usersa_id, reqid and saddr.”h]”hŒRThe unique SA is identified by the combination of xfrm_usersa_id, reqid and saddr.”…””}”(hj°hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K=hj;hžhubhÊ)”}”(hŒEflags are used to indicate different things. The possible flags are::”h]”hŒDflags are used to indicate different things. The possible flags are:”…””}”(hj¾hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K@hj;hžhubj¡)”}”(hX/XFRM_AE_RTHR=1, /* replay threshold*/ XFRM_AE_RVAL=2, /* replay value */ XFRM_AE_LVAL=4, /* lifetime value */ XFRM_AE_ETHR=8, /* expiry timer threshold */ XFRM_AE_CR=16, /* Event cause is replay update */ XFRM_AE_CE=32, /* Event cause is timer expiry */ XFRM_AE_CU=64, /* Event cause is policy update */”h]”hX/XFRM_AE_RTHR=1, /* replay threshold*/ XFRM_AE_RVAL=2, /* replay value */ XFRM_AE_LVAL=4, /* lifetime value */ XFRM_AE_ETHR=8, /* expiry timer threshold */ XFRM_AE_CR=16, /* Event cause is replay update */ XFRM_AE_CE=32, /* Event cause is timer expiry */ XFRM_AE_CU=64, /* Event cause is policy update */”…””}”hjÌsbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j hŸh³h KChj;hžhubhÊ)”}”(hŒ´How these flags are used is dependent on the direction of the message (kernel<->user) as well the cause (config, query or event). This is described below in the different messages.”h]”hŒ´How these flags are used is dependent on the direction of the message (kernel<->user) as well the cause (config, query or event). This is described below in the different messages.”…””}”(hjÚhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KKhj;hžhubhÊ)”}”(hŒ¥The pid will be set appropriately in netlink to recognize direction (0 to the kernel and pid = processid that created the event when going from kernel to user space)”h]”hŒ¥The pid will be set appropriately in netlink to recognize direction (0 to the kernel and pid = processid that created the event when going from kernel to user space)”…””}”(hjèhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KOhj;hžhubhÊ)”}”(hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS to get notified of these events.”h]”hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS to get notified of these events.”…””}”(hjöhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KShj;hžhubeh}”(h]”Œmessage-structure”ah ]”h"]”Œ1) message structure”ah$]”h&]”uh1h´hh¶hžhhŸh³h K'ubhµ)”}”(hhh]”(hº)”}”(hŒ(2) TLVS reflect the different parameters”h]”hŒ(2) TLVS reflect the different parameters”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj hžhhŸh³h KWubhŒenumerated_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒobyte value (XFRMA_LTIME_VAL) This TLV carries the running/current counter for byte lifetime since last event. ”h]”(hÊ)”}”(hŒbyte value (XFRMA_LTIME_VAL)”h]”hŒbyte value (XFRMA_LTIME_VAL)”…””}”(hj(hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KYhj$ubhÊ)”}”(hŒPThis TLV carries the running/current counter for byte lifetime since last event.”h]”hŒPThis TLV carries the running/current counter for byte lifetime since last event.”…””}”(hj6hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K[hj$ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjhžhhŸh³h Nubj#)”}”(hŒtreplay value (XFRMA_REPLAY_VAL) This TLV carries the running/current counter for replay sequence since last event. ”h]”(hÊ)”}”(hŒreplay value (XFRMA_REPLAY_VAL)”h]”hŒreplay value (XFRMA_REPLAY_VAL)”…””}”(hjNhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K^hjJubhÊ)”}”(hŒRThis TLV carries the running/current counter for replay sequence since last event.”h]”hŒRThis TLV carries the running/current counter for replay sequence since last event.”…””}”(hj\hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K`hjJubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjhžhhŸh³h Nubj#)”}”(hŒ˜replay threshold (XFRMA_REPLAY_THRESH) This TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded. ”h]”(hÊ)”}”(hŒ&replay threshold (XFRMA_REPLAY_THRESH)”h]”hŒ&replay threshold (XFRMA_REPLAY_THRESH)”…””}”(hjthžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KchjpubhÊ)”}”(hŒoThis TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded.”h]”hŒoThis TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded.”…””}”(hj‚hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kehjpubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjhžhhŸh³h Nubj#)”}”(hŒ…expiry timer (XFRMA_ETIMER_THRESH) This is a timer value in milliseconds which is used as the nagle value to rate limit the events. ”h]”(hÊ)”}”(hŒ"expiry timer (XFRMA_ETIMER_THRESH)”h]”hŒ"expiry timer (XFRMA_ETIMER_THRESH)”…””}”(hjšhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khhj–ubhÊ)”}”(hŒ`This is a timer value in milliseconds which is used as the nagle value to rate limit the events.”h]”hŒ`This is a timer value in milliseconds which is used as the nagle value to rate limit the events.”…””}”(hj¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kjhj–ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjhžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ loweralpha”Œprefix”hŒsuffix”Œ)”uh1jhj hžhhŸh³h KYubeh}”(h]”Œ%tlvs-reflect-the-different-parameters”ah ]”h"]”Œ(2) tlvs reflect the different parameters”ah$]”h&]”uh1h´hh¶hžhhŸh³h KWubhµ)”}”(hhh]”(hº)”}”(hŒ,3) Default configurations for the parameters”h]”hŒ,3) Default configurations for the parameters”…””}”(hjÒhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÏhžhhŸh³h KnubhÊ)”}”(hŒ‘By default these events should be turned off unless there is at least one listener registered to listen to the multicast group XFRMNLGRP_AEVENTS.”h]”hŒ‘By default these events should be turned off unless there is at least one listener registered to listen to the multicast group XFRMNLGRP_AEVENTS.”…””}”(hjàhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KphjÏhžhubhÊ)”}”(hŒíPrograms installing SAs will need to specify the two thresholds, however, in order to not change existing applications such as racoon we also provide default threshold values for these different parameters in case they are not specified.”h]”hŒíPrograms installing SAs will need to specify the two thresholds, however, in order to not change existing applications such as racoon we also provide default threshold values for these different parameters in case they are not specified.”…””}”(hjîhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KthjÏhžhubhÊ)”}”(hŒ!the two sysctls/proc entries are:”h]”hŒ!the two sysctls/proc entries are:”…””}”(hjühžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KyhjÏhžhubj)”}”(hhh]”(j#)”}”(hŒ¬/proc/sys/net/core/sysctl_xfrm_aevent_etime Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second) ”h]”(hÊ)”}”(hŒ+/proc/sys/net/core/sysctl_xfrm_aevent_etime”h]”hŒ+/proc/sys/net/core/sysctl_xfrm_aevent_etime”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K{hj ubhÊ)”}”(hŒ~Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second)”h]”hŒ~Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second)”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K}hj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hj hžhhŸh³h Nubj#)”}”(hŒ¨/proc/sys/net/core/sysctl_xfrm_aevent_rseqth Used to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets. ”h]”(hÊ)”}”(hŒ,/proc/sys/net/core/sysctl_xfrm_aevent_rseqth”h]”hŒ,/proc/sys/net/core/sysctl_xfrm_aevent_rseqth”…””}”(hj7hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K€hj3ubhÊ)”}”(hŒyUsed to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets.”h]”hŒyUsed to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets.”…””}”(hjEhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K‚hj3ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hj hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jÂjÃjÄhjÅjÆuh1jhjÏhžhhŸh³h K{ubeh}”(h]”Œ)default-configurations-for-the-parameters”ah ]”h"]”Œ,3) default configurations for the parameters”ah$]”h&]”uh1h´hh¶hžhhŸh³h Knubhµ)”}”(hhh]”(hº)”}”(hŒ4) Message types”h]”hŒ4) Message types”…””}”(hjjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjghžhhŸh³h K†ubj)”}”(hhh]”(j#)”}”(hX’XFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs. The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for. The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. * if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”(hÊ)”}”(hŒOXFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs.”h]”hŒOXFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kˆhj{ubhÊ)”}”(hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for.”h]”hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K‹hj{ubhÊ)”}”(hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj›hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KŽhj{ubhŒ block_quote”“”)”}”(hŒ”* if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”hŒ bullet_list”“”)”}”(hhh]”(j#)”}”(hŒGif XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved”h]”hÊ)”}”(hj¶h]”hŒGif XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved”…””}”(hj¸hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khj´ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"hj±ubj#)”}”(hŒHif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”hÊ)”}”(hŒGif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”h]”hŒGif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”…””}”(hjÏhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K‘hjËubah}”(h]”h ]”h"]”h$]”h&]”uh1j"hj±ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j¯hŸh³h Khj«ubah}”(h]”h ]”h"]”h$]”h&]”uh1j©hŸh³h Khj{ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjxhžhhŸh³h Nubj#)”}”(hXzXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE. i) user --> kernel to configure a specific SA. any of the values or threshold parameters can be updated by passing the appropriate TLV. A response is issued back to the sender in user space to indicate success or failure. In the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii). ii) kernel->user direction as a response to XFRM_MSG_GETAE The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. The threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message. iii) kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. iv) kernel->user to report event when replay threshold or a timeout is exceeded. ”h]”(hÊ)”}”(hŒwXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE.”h]”hŒwXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE.”…””}”(hjûhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K“hj÷ubj)”}”(hhh]”(j#)”}”(hXVuser --> kernel to configure a specific SA. any of the values or threshold parameters can be updated by passing the appropriate TLV. A response is issued back to the sender in user space to indicate success or failure. In the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii). ”h]”(hÊ)”}”(hŒ+user --> kernel to configure a specific SA.”h]”hŒ+user --> kernel to configure a specific SA.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K–hj ubhÊ)”}”(hŒXany of the values or threshold parameters can be updated by passing the appropriate TLV.”h]”hŒXany of the values or threshold parameters can be updated by passing the appropriate TLV.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K˜hj ubhÊ)”}”(hŒUA response is issued back to the sender in user space to indicate success or failure.”h]”hŒUA response is issued back to the sender in user space to indicate success or failure.”…””}”(hj,hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K›hj ubhÊ)”}”(hŒwIn the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”h]”hŒwIn the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”…””}”(hj:hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kžhj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hj ubj#)”}”(hŒÝkernel->user direction as a response to XFRM_MSG_GETAE The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. The threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message. ”h]”(hÊ)”}”(hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”h]”hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”…””}”(hjRhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¡hjNubhÊ)”}”(hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj`hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K£hjNubhÊ)”}”(hŒZThe threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message.”h]”hŒZThe threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message.”…””}”(hjnhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¥hjNubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hj ubj#)”}”(hX8kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. ”h]”hÊ)”}”(hX7kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hX7kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj†hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¨hj‚ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"hj ubj#)”}”(hŒMkernel->user to report event when replay threshold or a timeout is exceeded. ”h]”hÊ)”}”(hŒLkernel->user to report event when replay threshold or a timeout is exceeded.”h]”hŒLkernel->user to report event when replay threshold or a timeout is exceeded.”…””}”(hjžhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K®hjšubah}”(h]”h ]”h"]”h$]”h&]”uh1j"hj ubeh}”(h]”h ]”h"]”h$]”h&]”jÂŒ lowerroman”jÄhjÅjÆuh1jhj÷ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j"hjxhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”jÂjÃjÄhjÅjÆuh1jhjghžhhŸh³h KˆubhÊ)”}”(hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout happened) is set to inform the user what happened. Note the two flags are mutually exclusive. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout happened) is set to inform the user what happened. Note the two flags are mutually exclusive. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hjÅhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K±hjghžhubeh}”(h]”Œ message-types”ah ]”h"]”Œ4) message types”ah$]”h&]”uh1h´hh¶hžhhŸh³h K†ubhµ)”}”(hhh]”(hº)”}”(hŒ#5) Exceptions to threshold settings”h]”hŒ#5) Exceptions to threshold settings”…””}”(hjÞhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÛhžhhŸh³h K·ubhÊ)”}”(hXƒIf you have an SA that is getting hit by traffic in bursts such that there is a period where the timer threshold expires with no packets seen, then an odd behavior is seen as follows: The first packet arrival after a timer expiry will trigger a timeout event; i.e we don't wait for a timeout period or a packet threshold to be reached. This is done for simplicity and efficiency reasons.”h]”hX…If you have an SA that is getting hit by traffic in bursts such that there is a period where the timer threshold expires with no packets seen, then an odd behavior is seen as follows: The first packet arrival after a timer expiry will trigger a timeout event; i.e we don’t wait for a timeout period or a packet threshold to be reached. This is done for simplicity and efficiency reasons.”…””}”(hjìhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¹hjÛhžhubhÊ)”}”(hŒ-JHS”h]”hŒ-JHS”…””}”(hjúhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KÀhjÛhžhubeh}”(h]”Œ exceptions-to-threshold-settings”ah ]”h"]”Œ#5) exceptions to threshold settings”ah$]”h&]”uh1h´hh¶hžhhŸh³h K·ubeh}”(h]”Œ xfrm-sync”ah ]”h"]”Œ xfrm sync”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j;Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jjj jjÌjÉjdjajØjÕj j uŒ nametypes”}”(j‰j ‰j̉jd‰j؉j ‰uh}”(jh¶jj;jÉj jajÏjÕjgj jÛuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.