On Fri, Jan 20, 2012 at 2:18 PM, Prashant Batra (prbatra) <[email protected]> wrote: > After initiating a rekey or responding to a rekey, > > Is it correct to say, that any request should continue to be sent on old SA > until you receive a DELETE request or you send a DELETE request > to delete the rekeyed SA?
Clearly some interlocking here would be nice, otherwise there will be a race and high likelihood of dropped packets, with ensuing pain at higher layers. IMO the CREATE_CHILD_SA reply indicates that the peer is ready to receive on that SA, but the local node may not be able to do so until the CREATE_CHILD_SA reply is processed, so the peer should NOT send on the new SA until it sees a DELETE of the old child SA. In other words: - assume that the responder to a CREATE_CHILD_SA is ready to receive ESP/AH on the new SA SPI as soon as the responder's CREATE_CHILD_SA reply is received, and by corollary the initiator can start sending on the new SA immediately; - assume that the initiator of a CREATE_CHILD_SA exchange is NOT ready to receive ESP/AH on the new SA SPI until the initiator sends a DELETE payload deleting the old SA SPI, so the responder should NOT send on the new SA until it gets that DELETE. Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
