From 00308f85540ec1e3557e991811e220455290e4d3 Mon Sep 17 00:00:00 2001
From: Benedict Wong <benedictwong@google.com>
Date: Mon, 12 Mar 2018 19:00:50 -0700
Subject: [PATCH] Set SPI Allocation Timeout to One Hour

This change increases the default expiration length of an SA to 1h. The
IPsec API expects that SPIs are allocated indefinitely, but potential
for instability requires that these get cleaned up automatically. As
such, the duration was chosen as a sane, but long timeout value.

Bug: 72316671
Test: Added CTS tests to enforce this behavior
Change-Id: I47aef9cea4a09da253b2ec048a8797af5fa25529
---
 rootdir/init.rc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index a213ffb39..146257040 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -573,6 +573,9 @@ on boot
     hostname localhost
     domainname localdomain
 
+    # IPsec SA default expiration length
+    write /proc/sys/net/core/xfrm_acq_expires 3600
+
     # Memory management.  Basic kernel parameters, and allow the high
     # level system server to be able to adjust the kernel OOM driver
     # parameters to match how it is managing things.