Hello StrongSwan devs, I have question/proposal about CHILD SAs rekey: If I understand correctly, today in rekey task, after creating the new CHILD SA, immediately delete task is created and executed. (see here <https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/tasks/child_rekey.c#L379> ).
This can cause packets loss If the peer gateway sends ESP packets in parallel to the rekey, so there are some old ESP packet on the network. Maybe StrongSwan can defer the call to kerne_interface->del_sa() for the inbound CHILD SA (only), so the kernel continue to process esp packets for the old SAs for a while, and prevent the packet loss. What do you think?
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
