[Swan-dev] Bogus "established IKE SA" messages
Andrew Cagney
andrew.cagney at gmail.com
Tue Apr 6 01:52:42 UTC 2021
On Mon, 5 Apr 2021 at 21:14, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 5 Apr 2021, Andrew Cagney wrote:
>
> > It's simpler.
> >
> > 1) We realise we want to delete a child sa
> > 2) we send the delete
> > 3) we delete it
> > 4) we get a response, but we cannot find the child sa SPI
> >
> >
> > Yea, that's too aggressive with deleting the incoming channel. I'm
> pretty sure the initiator should:
> >
> > - delete outgoing channel
> > - send delete
> > on receipt of response
> > - delete incoming channel
> > - delete child state
> >
> > otherwise we get the responder sending packets that have nowhere to go
>
> But then an IKE SA needs to be clearly marked as "may only receive
> informational delete confirmation". Eg if the responder sends a
> CREATE_CHILD_SA or MOBIKE or something, we need to refuse to process it.
>
>
If it is the IKE SA being deleted, yes. How to correctly implement this
part of the IKEv2 RFC makes for an interesting read.
> Currently, we have no way of marking an IKE SA state as such.
>
>
It is technically a gap. But one where the current strategy of
fire-n-forget is kind of sort of close enough
(one place where it clearly hurts is with re-transmits - no IKE SA means
they don't happen)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210405/96565e14/attachment.html>
More information about the Swan-dev
mailing list