On Jan 20, 2012, at 10:49 PM, Nico Williams wrote: > > - assume that the initiator of a CREATE_CHILD_SA exchange is NOT > ready to receive ESP/AH on the new SA SPI until the initiator sends a > DELETE payload deleting the old SA SPI, so the responder should NOT > send on the new SA until it gets that DELETE.
There are enough weird implementations out there that either never send the DELETE or send it after a long time (as much as a minute), that I would not go that far. I think the responder should only send on the new SA after either of the following two things happens: 1. A packet arrives on the new inbound SA 2. some time has passed (maybe 0.5 second) You can add reception of the DELETE as a third option if you like, but really nothing bad happens if you send on an SA before the peer was ready. At worst it generates an unknown SPI log on the peer and forces the application or transport layer to retransmit. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
