[strongSwan] NO_ADDITIONAL_SAS on RFC5996

Martin Willi martin at strongswan.org
Fri Mar 1 09:20:08 CET 2013


> Suppose If the IKE has multiple CHILD_SA's (one IKE, under that multiple
> CHILD_SA's) , deleting & creating of the IKE (deleting all CHILD_SA's
> too) as affect the traffic on other CHILD_SA's too. In that case how to
> handle that situation.

As said, if an implementation can handle multiple CHILD_SAs, I don't see
why it should not support CHILD_SA rekeying. This is also implied in the
text in RFC 5996:

>    The responder sends a NO_ADDITIONAL_SAS notification to indicate that
>    a CREATE_CHILD_SA request is unacceptable because the responder is
>    unwilling to accept any more Child SAs on this IKE SA.  This
>    notification can also be used to reject IKE SA rekey.  Some minimal
>    implementations may only accept a single Child SA setup in the
>    context of an initial IKE exchange and reject any subsequent attempts
>    to add more.

Usually if an implementation sends NO_ADDITIONAL_SAs, it either does not
want to have more CHILD_SAs on a single IKE_SA, or it does not support
the creation and rekeying of CHILD_SAs outside of IKE_AUTH.

Of course our behavior could be changed, but I really see no reason why
we should do so.


More information about the Users mailing list