€•)pŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ-/translations/zh_CN/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/zh_TW/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/it_IT/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/ja_JP/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/ko_KR/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/pt_BR/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ-/translations/sp_SP/networking/xfrm/xfrm_sync”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒG/var/lib/git/docbuild/linux/Documentation/networking/xfrm/xfrm_sync.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ XFRM sync”h]”hŒ XFRM sync”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒ”The sync patches work is based on initial patches from Krisztian and others and additional patches from Jamal .”h]”(hŒBThe sync patches work is based on initial patches from Krisztian <”…””}”(hhßh²hh³Nh´NubhŒ reference”“”)”}”(hŒhidden@balabit.hu”h]”hŒhidden@balabit.hu”…””}”(hhéh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hidden@balabit.hu”uh1hçhhßubhŒ0> and others and additional patches from Jamal <”…””}”(hhßh²hh³Nh´Nubhè)”}”(hŒhadi@cyberus.ca”h]”hŒhadi@cyberus.ca”…””}”(hhýh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hadi@cyberus.ca”uh1hçhhßubhŒ>.”…””}”(hhßh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hX,The end goal for syncing is to be able to insert attributes + generate events so that the SA can be safely moved from one machine to another for HA purposes. The idea is to synchronize the SA so that the takeover machine can do the processing of the SA as accurate as possible if it has access to it.”h]”hX,The end goal for syncing is to be able to insert attributes + generate events so that the SA can be safely moved from one machine to another for HA purposes. The idea is to synchronize the SA so that the takeover machine can do the processing of the SA as accurate as possible if it has access to it.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K hhÊh²hubhÞ)”}”(hX6We already have the ability to generate SA add/del/upd events. These patches add ability to sync and have accurate lifetime byte (to ensure proper decay of SAs) and replay counters to avoid replay attacks with as minimal loss at failover time. This way a backup stays as closely up-to-date as an active member.”h]”hX6We already have the ability to generate SA add/del/upd events. These patches add ability to sync and have accurate lifetime byte (to ensure proper decay of SAs) and replay counters to avoid replay attacks with as minimal loss at failover time. This way a backup stays as closely up-to-date as an active member.”…””}”(hj%h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hXŠBecause the above items change for every packet the SA receives, it is possible for a lot of the events to be generated. For this reason, we also add a nagle-like algorithm to restrict the events. i.e we are going to set thresholds to say "let me know if the replay sequence threshold is reached or 10 secs have passed" These thresholds are set system-wide via sysctls or can be updated per SA.”h]”hXŽBecause the above items change for every packet the SA receives, it is possible for a lot of the events to be generated. For this reason, we also add a nagle-like algorithm to restrict the events. i.e we are going to set thresholds to say “let me know if the replay sequence threshold is reached or 10 secs have passed†These thresholds are set system-wide via sysctls or can be updated per SA.”…””}”(hj3h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hX7The identified items that need to be synchronized are: - the lifetime byte counter note that: lifetime time limit is not important if you assume the failover machine is known ahead of time since the decay of the time countdown is not driven by packet arrival. - the replay sequence for both inbound and outbound”h]”hX7The identified items that need to be synchronized are: - the lifetime byte counter note that: lifetime time limit is not important if you assume the failover machine is known ahead of time since the decay of the time countdown is not driven by packet arrival. - the replay sequence for both inbound and outbound”…””}”(hjAh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒ1) Message Structure”h]”hŒ1) Message Structure”…””}”(hjRh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjOh²hh³hÇh´K'ubhÞ)”}”(hŒ!nlmsghdr:aevent_id:optional-TLVs.”h]”hŒ!nlmsghdr:aevent_id:optional-TLVs.”…””}”(hj`h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K)hjOh²hubhÞ)”}”(hŒThe netlink message types are:”h]”hŒThe netlink message types are:”…””}”(hjnh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K+hjOh²hubhÞ)”}”(hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”h]”hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”…””}”(hj|h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K-hjOh²hubhÞ)”}”(hŒ$A XFRM_MSG_GETAE does not have TLVs.”h]”hŒ$A XFRM_MSG_GETAE does not have TLVs.”…””}”(hjŠh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K/hjOh²hubhÞ)”}”(hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is discussed further below).”h]”hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is discussed further below).”…””}”(hj˜h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K1hjOh²hubhÞ)”}”(hŒ aevent_id structure looks like::”h]”hŒaevent_id structure looks like:”…””}”(hj¦h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K4hjOh²hubhŒ literal_block”“”)”}”(hŒÞstruct xfrm_aevent_id { struct xfrm_usersa_id sa_id; xfrm_address_t saddr; __u32 flags; __u32 reqid; };”h]”hŒÞstruct xfrm_aevent_id { struct xfrm_usersa_id sa_id; xfrm_address_t saddr; __u32 flags; __u32 reqid; };”…””}”hj¶sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j´h³hÇh´K6hjOh²hubhÞ)”}”(hŒRThe unique SA is identified by the combination of xfrm_usersa_id, reqid and saddr.”h]”hŒRThe unique SA is identified by the combination of xfrm_usersa_id, reqid and saddr.”…””}”(hjÄh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K=hjOh²hubhÞ)”}”(hŒEflags are used to indicate different things. The possible flags are::”h]”hŒDflags are used to indicate different things. The possible flags are:”…””}”(hjÒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K@hjOh²hubjµ)”}”(hX/XFRM_AE_RTHR=1, /* replay threshold*/ XFRM_AE_RVAL=2, /* replay value */ XFRM_AE_LVAL=4, /* lifetime value */ XFRM_AE_ETHR=8, /* expiry timer threshold */ XFRM_AE_CR=16, /* Event cause is replay update */ XFRM_AE_CE=32, /* Event cause is timer expiry */ XFRM_AE_CU=64, /* Event cause is policy update */”h]”hX/XFRM_AE_RTHR=1, /* replay threshold*/ XFRM_AE_RVAL=2, /* replay value */ XFRM_AE_LVAL=4, /* lifetime value */ XFRM_AE_ETHR=8, /* expiry timer threshold */ XFRM_AE_CR=16, /* Event cause is replay update */ XFRM_AE_CE=32, /* Event cause is timer expiry */ XFRM_AE_CU=64, /* Event cause is policy update */”…””}”hjàsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j´h³hÇh´KChjOh²hubhÞ)”}”(hŒ´How these flags are used is dependent on the direction of the message (kernel<->user) as well the cause (config, query or event). This is described below in the different messages.”h]”hŒ´How these flags are used is dependent on the direction of the message (kernel<->user) as well the cause (config, query or event). This is described below in the different messages.”…””}”(hjîh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KKhjOh²hubhÞ)”}”(hŒ¥The pid will be set appropriately in netlink to recognize direction (0 to the kernel and pid = processid that created the event when going from kernel to user space)”h]”hŒ¥The pid will be set appropriately in netlink to recognize direction (0 to the kernel and pid = processid that created the event when going from kernel to user space)”…””}”(hjüh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KOhjOh²hubhÞ)”}”(hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS to get notified of these events.”h]”hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS to get notified of these events.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KShjOh²hubeh}”(h]”Œmessage-structure”ah ]”h"]”Œ1) message structure”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K'ubhÉ)”}”(hhh]”(hÎ)”}”(hŒ(2) TLVS reflect the different parameters”h]”hŒ(2) TLVS reflect the different parameters”…””}”(hj#h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj h²hh³hÇh´KWubhŒenumerated_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒobyte value (XFRMA_LTIME_VAL) This TLV carries the running/current counter for byte lifetime since last event. ”h]”(hÞ)”}”(hŒbyte value (XFRMA_LTIME_VAL)”h]”hŒbyte value (XFRMA_LTIME_VAL)”…””}”(hj<h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KYhj8ubhÞ)”}”(hŒPThis TLV carries the running/current counter for byte lifetime since last event.”h]”hŒPThis TLV carries the running/current counter for byte lifetime since last event.”…””}”(hjJh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K[hj8ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hj3h²hh³hÇh´Nubj7)”}”(hŒtreplay value (XFRMA_REPLAY_VAL) This TLV carries the running/current counter for replay sequence since last event. ”h]”(hÞ)”}”(hŒreplay value (XFRMA_REPLAY_VAL)”h]”hŒreplay value (XFRMA_REPLAY_VAL)”…””}”(hjbh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K^hj^ubhÞ)”}”(hŒRThis TLV carries the running/current counter for replay sequence since last event.”h]”hŒRThis TLV carries the running/current counter for replay sequence since last event.”…””}”(hjph²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K`hj^ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hj3h²hh³hÇh´Nubj7)”}”(hŒ˜replay threshold (XFRMA_REPLAY_THRESH) This TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded. ”h]”(hÞ)”}”(hŒ&replay threshold (XFRMA_REPLAY_THRESH)”h]”hŒ&replay threshold (XFRMA_REPLAY_THRESH)”…””}”(hjˆh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kchj„ubhÞ)”}”(hŒoThis TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded.”h]”hŒoThis TLV carries the threshold being used by the kernel to trigger events when the replay sequence is exceeded.”…””}”(hj–h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kehj„ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hj3h²hh³hÇh´Nubj7)”}”(hŒ…expiry timer (XFRMA_ETIMER_THRESH) This is a timer value in milliseconds which is used as the nagle value to rate limit the events. ”h]”(hÞ)”}”(hŒ"expiry timer (XFRMA_ETIMER_THRESH)”h]”hŒ"expiry timer (XFRMA_ETIMER_THRESH)”…””}”(hj®h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhjªubhÞ)”}”(hŒ`This is a timer value in milliseconds which is used as the nagle value to rate limit the events.”h]”hŒ`This is a timer value in milliseconds which is used as the nagle value to rate limit the events.”…””}”(hj¼h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kjhjªubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hj3h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ loweralpha”Œprefix”hŒsuffix”Œ)”uh1j1hj h²hh³hÇh´KYubeh}”(h]”Œ%tlvs-reflect-the-different-parameters”ah ]”h"]”Œ(2) tlvs reflect the different parameters”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KWubhÉ)”}”(hhh]”(hÎ)”}”(hŒ,3) Default configurations for the parameters”h]”hŒ,3) Default configurations for the parameters”…””}”(hjæh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjãh²hh³hÇh´KnubhÞ)”}”(hŒ‘By default these events should be turned off unless there is at least one listener registered to listen to the multicast group XFRMNLGRP_AEVENTS.”h]”hŒ‘By default these events should be turned off unless there is at least one listener registered to listen to the multicast group XFRMNLGRP_AEVENTS.”…””}”(hjôh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kphjãh²hubhÞ)”}”(hŒíPrograms installing SAs will need to specify the two thresholds, however, in order to not change existing applications such as racoon we also provide default threshold values for these different parameters in case they are not specified.”h]”hŒíPrograms installing SAs will need to specify the two thresholds, however, in order to not change existing applications such as racoon we also provide default threshold values for these different parameters in case they are not specified.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kthjãh²hubhÞ)”}”(hŒ!the two sysctls/proc entries are:”h]”hŒ!the two sysctls/proc entries are:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kyhjãh²hubj2)”}”(hhh]”(j7)”}”(hŒ¬/proc/sys/net/core/sysctl_xfrm_aevent_etime Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second) ”h]”(hÞ)”}”(hŒ+/proc/sys/net/core/sysctl_xfrm_aevent_etime”h]”hŒ+/proc/sys/net/core/sysctl_xfrm_aevent_etime”…””}”(hj%h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K{hj!ubhÞ)”}”(hŒ~Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second)”h]”hŒ~Used to provide default values for the XFRMA_ETIMER_THRESH in incremental units of time of 100ms. The default is 10 (1 second)”…””}”(hj3h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K}hj!ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjh²hh³hÇh´Nubj7)”}”(hŒ¨/proc/sys/net/core/sysctl_xfrm_aevent_rseqth Used to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets. ”h]”(hÞ)”}”(hŒ,/proc/sys/net/core/sysctl_xfrm_aevent_rseqth”h]”hŒ,/proc/sys/net/core/sysctl_xfrm_aevent_rseqth”…””}”(hjKh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K€hjGubhÞ)”}”(hŒyUsed to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets.”h]”hŒyUsed to provide default values for XFRMA_REPLAY_THRESH parameter in incremental packet count. The default is two packets.”…””}”(hjYh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K‚hjGubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”jÖj×jØhjÙjÚuh1j1hjãh²hh³hÇh´K{ubeh}”(h]”Œ)default-configurations-for-the-parameters”ah ]”h"]”Œ,3) default configurations for the parameters”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KnubhÉ)”}”(hhh]”(hÎ)”}”(hŒ4) Message types”h]”hŒ4) Message types”…””}”(hj~h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj{h²hh³hÇh´K†ubj2)”}”(hhh]”(j7)”}”(hX’XFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs. The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for. The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. * if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”(hÞ)”}”(hŒOXFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs.”h]”hŒOXFRM_MSG_GETAE issued by user-->kernel. XFRM_MSG_GETAE does not carry any TLVs.”…””}”(hj“h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KˆhjubhÞ)”}”(hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for.”h]”hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what XFRM_MSG_GETAE queried for.”…””}”(hj¡h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K‹hjubhÞ)”}”(hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj¯h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KŽhjubhŒ block_quote”“”)”}”(hŒ”* if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”hŒ bullet_list”“”)”}”(hhh]”(j7)”}”(hŒGif XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved”h]”hÞ)”}”(hjÊh]”hŒGif XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved”…””}”(hjÌh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhjÈubah}”(h]”h ]”h"]”h$]”h&]”uh1j6hjÅubj7)”}”(hŒHif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved ”h]”hÞ)”}”(hŒGif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”h]”hŒGif XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”…””}”(hjãh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K‘hjßubah}”(h]”h ]”h"]”h$]”h&]”uh1j6hjÅubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1jÃh³hÇh´Khj¿ubah}”(h]”h ]”h"]”h$]”h&]”uh1j½h³hÇh´Khjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjŒh²hh³hÇh´Nubj7)”}”(hXzXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE. i) user --> kernel to configure a specific SA. any of the values or threshold parameters can be updated by passing the appropriate TLV. A response is issued back to the sender in user space to indicate success or failure. In the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii). ii) kernel->user direction as a response to XFRM_MSG_GETAE The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. The threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message. iii) kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. iv) kernel->user to report event when replay threshold or a timeout is exceeded. ”h]”(hÞ)”}”(hŒwXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE.”h]”hŒwXFRM_MSG_NEWAE is issued by either user space to configure or kernel to announce events or respond to a XFRM_MSG_GETAE.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K“hj ubj2)”}”(hhh]”(j7)”}”(hXVuser --> kernel to configure a specific SA. any of the values or threshold parameters can be updated by passing the appropriate TLV. A response is issued back to the sender in user space to indicate success or failure. In the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii). ”h]”(hÞ)”}”(hŒ+user --> kernel to configure a specific SA.”h]”hŒ+user --> kernel to configure a specific SA.”…””}”(hj$h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K–hj ubhÞ)”}”(hŒXany of the values or threshold parameters can be updated by passing the appropriate TLV.”h]”hŒXany of the values or threshold parameters can be updated by passing the appropriate TLV.”…””}”(hj2h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K˜hj ubhÞ)”}”(hŒUA response is issued back to the sender in user space to indicate success or failure.”h]”hŒUA response is issued back to the sender in user space to indicate success or failure.”…””}”(hj@h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K›hj ubhÞ)”}”(hŒwIn the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”h]”hŒwIn the case of success, additionally an event with XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”…””}”(hjNh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kžhj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjubj7)”}”(hŒÝkernel->user direction as a response to XFRM_MSG_GETAE The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. The threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message. ”h]”(hÞ)”}”(hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”h]”hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”…””}”(hjfh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¡hjbubhÞ)”}”(hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hjth²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K£hjbubhÞ)”}”(hŒZThe threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message.”h]”hŒZThe threshold TLVs will be included if explicitly requested in the XFRM_MSG_GETAE message.”…””}”(hj‚h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¥hjbubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjubj7)”}”(hX8kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. ”h]”hÞ)”}”(hX7kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hX7kernel->user to report as event if someone sets any values or thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). In such a case XFRM_AE_CU flag is set to inform the user that the change happened as a result of an update. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hjšh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¨hj–ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6hjubj7)”}”(hŒMkernel->user to report event when replay threshold or a timeout is exceeded. ”h]”hÞ)”}”(hŒLkernel->user to report event when replay threshold or a timeout is exceeded.”h]”hŒLkernel->user to report event when replay threshold or a timeout is exceeded.”…””}”(hj²h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K®hj®ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6hjubeh}”(h]”h ]”h"]”h$]”h&]”jÖŒ lowerroman”jØhjÙjÚuh1j1hj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j6hjŒh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”jÖj×jØhjÙjÚuh1j1hj{h²hh³hÇh´KˆubhÞ)”}”(hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout happened) is set to inform the user what happened. Note the two flags are mutually exclusive. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout happened) is set to inform the user what happened. Note the two flags are mutually exclusive. The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hjÙh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K±hj{h²hubeh}”(h]”Œ message-types”ah ]”h"]”Œ4) message types”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K†ubhÉ)”}”(hhh]”(hÎ)”}”(hŒ#5) Exceptions to threshold settings”h]”hŒ#5) Exceptions to threshold settings”…””}”(hjòh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjïh²hh³hÇh´K·ubhÞ)”}”(hXƒIf you have an SA that is getting hit by traffic in bursts such that there is a period where the timer threshold expires with no packets seen, then an odd behavior is seen as follows: The first packet arrival after a timer expiry will trigger a timeout event; i.e we don't wait for a timeout period or a packet threshold to be reached. This is done for simplicity and efficiency reasons.”h]”hX…If you have an SA that is getting hit by traffic in bursts such that there is a period where the timer threshold expires with no packets seen, then an odd behavior is seen as follows: The first packet arrival after a timer expiry will trigger a timeout event; i.e we don’t wait for a timeout period or a packet threshold to be reached. This is done for simplicity and efficiency reasons.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¹hjïh²hubhÞ)”}”(hŒ-JHS”h]”hŒ-JHS”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KÀhjïh²hubeh}”(h]”Œ exceptions-to-threshold-settings”ah ]”h"]”Œ#5) exceptions to threshold settings”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K·ubeh}”(h]”Œ xfrm-sync”ah ]”h"]”Œ xfrm sync”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jOŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j)j&jjjàjÝjxjujìjéj!juŒ nametypes”}”(j)‰j‰jà‰jx‰jì‰j!‰uh}”(j&hÊjjOjÝj jujãjéj{jjïuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.