On Tue, 2 Aug 2005, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
On Mon, 1 Aug 2005, Herbert Xu wrote:
On Mon, Aug 01, 2005 at 05:46:26AM +0200, Krzysztof Oledzki wrote:
Any new patches to test? ;)
As I said in an earlier message, you should patch racoon to delete
the old *outbound* SA when the new SA has been negotiated.
Did not receive this one, sorry :(. However, the same question was asked
to racoon developers and the answer was, that it is kernel job. They
even pointed that KAME IPSec stack can be tuned to (or not to) prefer
old SA.
The kernel's job is to use a valid SA.
Again... RFC 2408 says: "A protocol implementation SHOULD begin using the
newly created SA for outbound traffic and SHOULD continue to support
incoming traffic on the old SA until it is deleted or until traffic is
received under the protection of the newly created SA." - Section 4.3.
In this case both are valid and the peer is buggy.
The problem is the word SHOULD and IMHO both Linux and the peer are buggy.
So I think the suggestion to work around this in the keying daemons is
not unreasonable.
There is no need to work around this on *BSD (KAME stack) and the keying
daemon is exactly the same for both Linux and *BSD.
Best regards,
Krzysztof Olędzki
