Yoav Nir writes: > I would actually rather remove the "MUST NOT unilaterally close > them" and replace it with "may unilaterally close them".
You MAY close the IKE SA and that will take care of the SAs. You MUST NOT unilaterally close them. > But wait, there's something weird here. > >From the PoV of any implementation, the SA pair is one inbound SA and >one outbound SA. When you send a DELETE, you send it for the INBOUND >SA. So I was wrong - it's outbound SAs that you accumulate. If the >peer does not close the other end, you are left with a half-closed SA >- just an outbound SA. Surely closing that is easy - you just don't >use it any more, so you might as well delete it from your database - >no leak on your end, and the minimal implementation should take care >of itself. In your example case that is true, but note that this paragraph is not restricted to inbound SAs. The paragraph starts with "Half-close ESP or AH connections are anomalous ..." which talks about Half-closed SAs in general. This means you can also have half-closed outbound SAs, i.e. the one where other end send delete notification, but for which you decided not to send delete reply back. > So what's this text about "MAY refuse to accept incoming data"? I.e. if you have received delete notification for your outbound SA, but you decided not send out delete notification back for your inbound SA (lets say there was some failure which meant you could not do it). Then that means you can refuse incoming packets on that SA as it is already in half-closed state. When your failure situation is resolved (lets say your crypto hardware board got stuck, and you needed to wait for your watchdog timer to reset it after 10 seconds), then you will notice you have half-closed SAs, and you start clearing the situation by either sending your end of the delete notification or by noticing that things are really messed up, and deleting the whole IKE SA and starting over. > There is no incoming data unless your peer misunderstood your DELETE > payload. An INVALID_SPI notification might set them straight. Depends which party you are. For half-closed SAs the one end has half-closed SA where they have only inbound SA and other party has only the outbound SA. I do not think there is any need to change any of those locations. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
