[15/15] mka: do not update potential peer liveness timer

Message ID 20180302201103.16264-16-msiedzik@extremenetworks.com
State New
Headers show
Series
  • MKA bugfixes and enhancements
Related show

Commit Message

Michael Siedzik March 2, 2018, 8:11 p.m.
From: Mike Siedzik <msiedzik@extremenetworks.com>

To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.

Per IEEE802.1X-2010 9.4.3 Determining liveness, potential peers need to
show liveness by including our MI/MN in their transmitted MKPDU (within
potential or live parameter sets).

When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.

If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, then let the peer expire to facilitate getting back in
sync with the remote peer.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--
2.11.1

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4323b6dc0..6ac7d02d1 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3180,14 +3180,21 @@  static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                } else {
                        peer->missing_sak_use_count = 0;
                }
+
+               /* Only update live peer watchdog after successful decode of all parameter sets */
+               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
        } else {
                /* MKPDU is from new or potential peer */
                peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi);
-       }
+               if (!peer)
+                       return -1;

-       /* Only update live peer watchdog after successful decode of all parameter sets */
-       if (peer)
-               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
+               /* Do not update potential peer watchdog.  Per IEEE802.1X-2010 9.4.3,
+                * potential peers need to show liveness by including our MI/MN in their
+                * transmitted MKPDU (within potential or live parameter sets).  When
+                * a potential peer does include our MI/MN in an MKPDU, we respond by
+                * moving the peer from 'potential_peers' to 'live_peers'. */
+       }

        kay->active = TRUE;
        participant->retry_count = 0;