[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master
Paul Wouters
paul at nohats.ca
Tue Aug 25 20:24:40 EEST 2015
On Tue, 25 Aug 2015, D. Hugh Redelmeier wrote:
> "replaced" is not a concept in IKEv1. It is a weak notion in our code.
> There is no way to know if the other side shares that notion.
right.
> Off the top of my head, without due diligence, I would say that if one SA
> is deleted, and it is the eroute owner, and there is an identical SA, it
> should be made the eroute owner.
But i think the "replaced" SA is not used anymore by the other end.
Making it the eroute owner I assume we would expect the remote peer
to suddenlt start encrypting to us with a different key? I am pretty
sure they won't do that.
Paul
More information about the Swan-dev
mailing list