From bc9175941a4dfc8d792e8e09b33f25f9c5f07f93 Mon Sep 17 00:00:00 2001 From: tobhe Date: Tue, 3 Aug 2021 12:46:30 +0000 Subject: [PATCH] Increase default data bytes limit for Child SAs to 4 GB. Lower limits lead to excessive rekeying and lost data in high performance setups without much benefit. Brought up by mvs@ ok patrick@ sthen@ --- sbin/iked/iked.conf.5 | 8 ++++---- sbin/iked/types.h | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5 index a67d1d184e4..df1a0f09442 100644 --- a/sbin/iked/iked.conf.5 +++ b/sbin/iked/iked.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.conf.5,v 1.85 2021/04/11 23:27:06 tobhe Exp $ +.\" $OpenBSD: iked.conf.5,v 1.86 2021/08/03 12:46:30 tobhe Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 11 2021 $ +.Dd $Mdocdate: August 3 2021 $ .Dt IKED.CONF 5 .Os .Sh NAME @@ -586,8 +586,8 @@ parameter defines the Child SA expiration timeout by the SA was in use and by the number of .Ar bytes that were processed using the SA. -Default values are 3 hours and 512 megabytes which means that SA will be -rekeyed before reaching the time limit or 512 megabytes of data +Default values are 3 hours and 4 gigabytes which means that SA will be +rekeyed before reaching the time limit or 4 gigabytes of data will pass through. Zero values disable rekeying. .Pp diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 889398db226..b16d04c1ab6 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.43 2021/05/13 15:20:48 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.44 2021/08/03 12:46:30 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -67,7 +67,7 @@ #define IKED_CYCLE_BUFFERS 8 /* # of static buffers for mapping */ #define IKED_PASSWORD_SIZE 256 /* limited by most EAP types */ -#define IKED_LIFETIME_BYTES 536870912 /* 512 Mb */ +#define IKED_LIFETIME_BYTES 4294967296 /* 4 GB */ #define IKED_LIFETIME_SECONDS 10800 /* 3 hours */ #define IKED_E 0x1000 /* Decrypted flag */ -- 2.20.1