Workaround for missed ESP key updates in Juniper/oNCP protocol

Daniel Lenskirequested to merge
workaround_missed_ESP_key_updates_in_oNCP into master

The Juniper/oNCP protocol informs the client of the ESP key lifetime (in either seconds or bytes; we do not handle the latter case), but normally the rekey is initiated by the server, which is supposed to send new keys to the client with a KMP 302 packet on the oNCP/TLS channel.

However, when the ESP channel is used for data transport, the oNCP/TLS channel is idle, and we don't know how to keep it alive or even to detect if it is still alive. Therefore the server-initiated ESP key updates may not be received, and the ESP channel will suddenly stop working; see #627 (comment 1438325857) for a probable case.

As a workaround, we can rekey by reconnecting the TLS channel and re-fetching the config shortly before the ESP keys expire, if we haven't already received new ESP keys from the server at this point.

Merge request reports