On Mon, 5 Apr 2021 at 21:14, Paul Wouters <[email protected]> wrote: > On Mon, 5 Apr 2021, Andrew Cagney wrote: > > > It's simpler. > > > > 1) We realise we want to delete a child sa > > 2) we send the delete > > 3) we delete it > > 4) we get a response, but we cannot find the child sa SPI > > > > > > Yea, that's too aggressive with deleting the incoming channel. I'm > pretty sure the initiator should: > > > > - delete outgoing channel > > - send delete > > on receipt of response > > - delete incoming channel > > - delete child state > > > > otherwise we get the responder sending packets that have nowhere to go > > But then an IKE SA needs to be clearly marked as "may only receive > informational delete confirmation". Eg if the responder sends a > CREATE_CHILD_SA or MOBIKE or something, we need to refuse to process it. > > If it is the IKE SA being deleted, yes. How to correctly implement this part of the IKEv2 RFC makes for an interesting read.
> Currently, we have no way of marking an IKE SA state as such. > > It is technically a gap. But one where the current strategy of fire-n-forget is kind of sort of close enough (one place where it clearly hurts is with re-transmits - no IKE SA means they don't happen)
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
