Yoav Nir writes: > Section 1.4.1 also says: > > "A node MAY refuse to accept incoming data on half-closed > connections but MUST NOT unilaterally close them and reuse the SPIs." > > So if your peer is only responding with empty INFORMATIONAL > responses to your deletes, you're going to accumulate more and more > stale inbound SAs.
In which case you follow the text in 1.4.1 which says: If connection state becomes sufficiently messed up, a node MAY close the IKE SA; doing so will implicitly close all SAs negotiated under it. It can then rebuild the SAs it needs on a clean base under a new IKE SA. The response to a request that deletes the IKE SA is an empty Informational response. and that will fix the situation with minimal implementation. Also with minimal implementation you cannot really get more and more stale inbound SAs, as if implementation is so small it does not support Delete notifications, it most likely doesnot support more than one Child SA, i.e. it does not support CREATE_CHILD_SA (it will always reply with NO_ADDITIONAL_SAS to that), thus at most you get one extra SA. And as other end didn't understand the delete, it is not stale, as it will be working half-closed SAs, it is outbound SA for you and if you encrypt data and send it to the minimal implementation it will still decrypt, and process that packet. It will might even send reply back to your already closed inbound SA, but you will drop that as you have already deleted that half. > One of these statements has to go. Not really. Note, that I would expect all normal versions of the IPsec to support both CREATE_CHILD_SA and delete notifications, but we are talking now about the minimal requirements. I.e. if you have your battery powered garage door opener, who knows IKEv2 just enough to do IKE_SA_INIT (with exactly one set of crypto algorithms), IKE_AUTH (with preshared key and with one set of crypto algorithms and fixed traffic selectors). It only supports this exactly one Child SA, which it uses to send message saying "Open or Close the garage door" and after 30 seconds if no more buttons is pressed it will shutdown. As it does not support CREATE_CHILD_SA or INFORMATIONAL in any other way than sending NO_ADDITIONAL_SAS or empty reply back, it does not know how to process delete payloads at all. It even does not know how to delete the IKE SA, but that does not matter as it automatically goes away when it automatically turns itself off. It expects that your home area network server which acted as responder to its IPsec connection is smart enough to start DPD later and when garage door opener does not reply it will also delete the IKE SA from the server side. This kind of minimal implementations are not meant to be used in normal operations. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
