[Swan-dev] Bogus "established IKE SA" messages
Paul Wouters
paul at nohats.ca
Tue Apr 6 01:14:50 UTC 2021
On Mon, 5 Apr 2021, Andrew Cagney wrote:
> It's simpler.
>
> 1) We realise we want to delete a child sa
> 2) we send the delete
> 3) we delete it
> 4) we get a response, but we cannot find the child sa SPI
>
>
> Yea, that's too aggressive with deleting the incoming channel. I'm pretty sure the initiator should:
>
> - delete outgoing channel
> - send delete
> on receipt of response
> - delete incoming channel
> - delete child state
>
> otherwise we get the responder sending packets that have nowhere to go
But then an IKE SA needs to be clearly marked as "may only receive
informational delete confirmation". Eg if the responder sends a
CREATE_CHILD_SA or MOBIKE or something, we need to refuse to process it.
Currently, we have no way of marking an IKE SA state as such.
Paul
More information about the Swan-dev
mailing list