diff mbox series

[15/15] mka: do not update potential peer liveness timer

Message ID 20180302201103.16264-16-msiedzik@extremenetworks.com
State Accepted
Headers show
Series MKA bugfixes and enhancements | expand

Commit Message

Michael Siedzik March 2, 2018, 8:11 p.m. UTC 
From: Mike Siedzik <msiedzik@extremenetworks.com>

To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.

Per IEEE802.1X-2010 9.4.3 Determining liveness, potential peers need to
show liveness by including our MI/MN in their transmitted MKPDU (within
potential or live parameter sets).

When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.

If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, then let the peer expire to facilitate getting back in
sync with the remote peer.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--
2.11.1

Comments

Jouni Malinen Dec. 26, 2018, 11:16 p.m. UTC | #1 
On Fri, Mar 02, 2018 at 03:11:03PM -0500, msiedzik@extremenetworks.com wrote:
> To prevent a remote peer from getting stuck in a perpetual 'potential
> peer' state, only update the peer liveness timer 'peer->expire' for live
> peers and not for potential peers.
> 
> Per IEEE802.1X-2010 9.4.3 Determining liveness, potential peers need to
> show liveness by including our MI/MN in their transmitted MKPDU (within
> potential or live parameter sets).
> 
> When a potential peer does include our MI/MN in an MKPDU, we respond by
> moving the peer from 'potential_peers' to 'live_peers'.
> 
> If a potential peer does not include our MI/MN in an MKPDU within
> MKPDU_LIFE_TIME, then let the peer expire to facilitate getting back in
> sync with the remote peer.

Thanks, applied.
diff mbox series

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4323b6dc0..6ac7d02d1 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3180,14 +3180,21 @@  static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                } else {
                        peer->missing_sak_use_count = 0;
                }
+
+               /* Only update live peer watchdog after successful decode of all parameter sets */
+               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
        } else {
                /* MKPDU is from new or potential peer */
                peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi);
-       }
+               if (!peer)
+                       return -1;

-       /* Only update live peer watchdog after successful decode of all parameter sets */
-       if (peer)
-               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
+               /* Do not update potential peer watchdog.  Per IEEE802.1X-2010 9.4.3,
+                * potential peers need to show liveness by including our MI/MN in their
+                * transmitted MKPDU (within potential or live parameter sets).  When
+                * a potential peer does include our MI/MN in an MKPDU, we respond by
+                * moving the peer from 'potential_peers' to 'live_peers'. */
+       }

        kay->active = TRUE;
        participant->retry_count = 0;