[strongSwan] NO_ADDITIONAL_SAS on RFC5996
Martin Willi
martin at strongswan.org
Thu Feb 28 17:45:35 CET 2013
Hi,
> If the responder rejects the CREATE_CHILD_SA request with a
> NO_ADDITIONAL_SAS notification, the implementation MUST be capable of
> instead deleting the old SA and creating a new one.
I'd say strongSwan is capable of doing that. But instead of just closing
and recreating the CHILD_SA, we recreate the IKE_SA, too.
I think there is one good reason to reject CHILD_SA rekeyings with
NO_ADDITIONAL_SAs: If the implementation is very minimalistic and does
not want to support this scenario. But if this is the case, to me it is
very reasonable to assume that it doesn't support closing and recreating
the CHILD_SA: it is almost the same exchange.
So instead of trying to close and recreate the CHILD_SA after such a
failure (which is likely to fail, too), we just recreate the IKE_SA
(which should work).
Regards
Martin
More information about the Users
mailing list