Hello, When a Child SA is created, each endpoint will create a different SPI for the SA. If I understand correctly, this is called the incoming SPI, i.e the SPI which would be expected to be seen in an incoming ESP or AH packet. Is this correct?
When deleting a Child SA, should the initiator (of the INFORMATIONAL exchange containing the Delete payload) state the incoming SPI value, the outgoing (that is, the SPI that the other peer assigned to the Child SA), or both? If both are to be sent (this seems to make most sense), when does a peer recieve the SPI that the other endpoint set for the Child SA? Would both be sent when creating the SA, in a fashion like it is done when creating the IKE SA? Regards, Matt
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
