Links involving mobile peers are best served by somewhat different
tuning parameters. So make the defaults vary accordingly.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
transform (transform closure): how to mangle packets sent between sites
dh (dh closure)
hash (hash closure)
transform (transform closure): how to mangle packets sent between sites
dh (dh closure)
hash (hash closure)
- key-lifetime (integer): max lifetime of a session key, in ms [one hour]
+ key-lifetime (integer): max lifetime of a session key, in ms
+ [one hour; mobile: 2 days]
setup-retries (integer): max number of times to transmit a key negotiation
setup-retries (integer): max number of times to transmit a key negotiation
setup-timeout (integer): time between retransmissions of key negotiation
setup-timeout (integer): time between retransmissions of key negotiation
+ packets, in ms [2000; mobile: 1000]
wait-time (integer): after failed key setup, wait this long (in ms) before
wait-time (integer): after failed key setup, wait this long (in ms) before
- allowing another attempt [20000]
+ allowing another attempt [20000; mobile: 10000]
renegotiate-time (integer): if we see traffic on the link after this time
then renegotiate another session key immediately (in ms)
renegotiate-time (integer): if we see traffic on the link after this time
then renegotiate another session key immediately (in ms)
- [half key-lifetime, or key-lifetime minus 5 mins, whichever is longer].
+ [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours),
+ whichever is longer].
keepalive (bool): if True then attempt always to keep a valid session key.
Not actually currently implemented. [false]
log-events (string list): types of events to log for this site
keepalive (bool): if True then attempt always to keep a valid session key.
Not actually currently implemented. [false]
log-events (string list): types of events to log for this site
for us have "mobile True" (and if we find a site configuration for
ourselves in the config, we insist on this). The effect is to
check that there are no links both ends of which are allegedly
for us have "mobile True" (and if we find a site configuration for
ourselves in the config, we insist on this). The effect is to
check that there are no links both ends of which are allegedly
- mobile (which is not supported, so those links are ignored). [false]
+ mobile (which is not supported, so those links are ignored) and
+ to change some of the tuning parameter defaults. [false]
+
+Links involving mobile peers have some different tuning parameter
+default values, which are generally more aggressive about retrying key
+setup but more relaxed about using old keys. These are noted with
+"mobile:", above, and apply whether the mobile peer is local or
+remote.
#define DEFAULT_SETUP_RETRIES 5
#define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
#define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
#define DEFAULT_SETUP_RETRIES 5
#define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
#define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
+
+#define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
+#define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
+#define DEFAULT_MOBILE_SETUP_RETRIES 30
+#define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
+#define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
+
#define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
#define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
#define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
#define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
-#define DEFAULT(D) DEFAULT_##D
+#define DEFAULT(D) (st->peer_mobile || local_mobile \
+ ? DEFAULT_MOBILE_##D : DEFAULT_##D)
#define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
#define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);