Hi, In current implementation of ikev2 plugin, it seems to keep old inbound IPsec SA for a while after rekeying is done, and this old IPsec SA seems to be deleted by manager process later. But it is not deleted and remains forever if rekeying request comes again before deleting it, because 2 or more older IDs for IPsec SA is not managed in current implementation. Probably this is a corner case but possible in the IKEv2 protocol. So I believe such rekeying request should not be accepted and TEMPORARY_FAILURE notification should be send back to let peer retry later. Could you please review a patch[0] that implements behavior described above?
[0] https://gerrit.fd.io/r/c/vpp/+/36822 -- Best regards, Atzm WATANABE
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21780): https://lists.fd.io/g/vpp-dev/message/21780 Mute This Topic: https://lists.fd.io/mt/92909844/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
