[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Thu Dec 6 17:41:10 UTC 2018
New commits:
commit d1f747cb7026bc531ebb8c1d4ee2355981d66a51
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Dec 6 12:16:33 2018 -0500
ikev2: when searching for a CHILD SA by SPI, only check outbound SPI
The function find_state_ikev2_child_to_delete(), which would try to
match either the outbound(good) or inbound(bad) SPI, is replaced by
find_v2_child_sa_by_outbound_spi().
(The inbound check dates back to when the function was first added.)
Also add the comment:
Find an IKEv2 CHILD SA using the protocol and the (from our POV)
'outbound' SPI.
The remote end, when identifing a CHILD SA in a Delete or REKEY_SA
notification, sends its end's inbound SPI, which from our
point-of-view is the outbound SPI aka 'attrs.spi'.
From 1.3.3. Rekeying Child SAs with the CREATE_CHILD_SA Exchange: The
SA being rekeyed is identified by the SPI field in the [REKEY_SA]
Notify payload; this is the SPI the exchange initiator would expect in
inbound ESP or AH packets.
From 3.11. Delete Payload: [the delete payload will] contain the
IPsec protocol ID of that protocol (2 for AH, 3 for ESP), and the SPI
is the SPI the sending endpoint would expect in inbound ESP or AH
packets.
(Having the fields in state match this terminology would be nice.)
More information about the Swan-commit
mailing list