[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master
D. Hugh Redelmeier
hugh at mimosa.com
Wed Aug 26 09:24:48 EEST 2015
| From: Paul Wouters <paul at nohats.ca>
| On Tue, 25 Aug 2015, D. Hugh Redelmeier wrote:
| > Off the top of my head, without due diligence, I would say that if one SA
| > is deleted, and it is the eroute owner, and there is an identical SA, it
| > should be made the eroute owner.
|
| But i think the "replaced" SA is not used anymore by the other end.
| Making it the eroute owner I assume we would expect the remote peer
| to suddenlt start encrypting to us with a different key? I am pretty
| sure they won't do that.
Surely if the other side (1) does delete notifications, and (2) has
not issued a delete notification for this SA, the the SA should be
legit.
And yes, I would assume that the other SA has its own key. That's
their nature.
If I remember correctly, an IKE system only deletes inbound SAs. It just
stops using outbound ones. Of course the inbound SA bundle and outbound
SA bundle are paired pretty tightly in IKE (not IPSec).
Am I missing something?
More information about the Swan-dev
mailing list