New commits:
commit d1f747cb7026bc531ebb8c1d4ee2355981d66a51
Author: Andrew Cagney <[email protected]>
Date: Thu Dec 6 12:16:33 2018 -0500
ikev2: when searching for a CHILD SA by SPI, only check outbound SPI
The function find_state_ikev2_child_to_delete(), which would try to
match either the outbound(good) or inbound(bad) SPI, is replaced by
find_v2_child_sa_by_outbound_spi().
(The inbound check dates back to when the function was first added.)
Also add the comment:
Find an IKEv2 CHILD SA using the protocol and the (from our POV)
'outbound' SPI.
The remote end, when identifing a CHILD SA in a Delete or REKEY_SA
notification, sends its end's inbound SPI, which from our
point-of-view is the outbound SPI aka 'attrs.spi'.
From 1.3.3. Rekeying Child SAs with the CREATE_CHILD_SA Exchange: The
SA being rekeyed is identified by the SPI field in the [REKEY_SA]
Notify payload; this is the SPI the exchange initiator would expect in
inbound ESP or AH packets.
From 3.11. Delete Payload: [the delete payload will] contain the
IPsec protocol ID of that protocol (2 for AH, 3 for ESP), and the SPI
is the SPI the sending endpoint would expect in inbound ESP or AH
packets.
(Having the fields in state match this terminology would be nice.)
_______________________________________________
Swan-commit mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-commit
