[strongSwan] NO_ADDITIONAL_SAS on RFC5996
martin at strongswan.org
Fri Mar 1 09:20:08 CET 2013
> Suppose If the IKE has multiple CHILD_SA's (one IKE, under that multiple
> CHILD_SA's) , deleting & creating of the IKE (deleting all CHILD_SA's
> too) as affect the traffic on other CHILD_SA's too. In that case how to
> handle that situation.
As said, if an implementation can handle multiple CHILD_SAs, I don't see
why it should not support CHILD_SA rekeying. This is also implied in the
text in RFC 5996:
> The responder sends a NO_ADDITIONAL_SAS notification to indicate that
> a CREATE_CHILD_SA request is unacceptable because the responder is
> unwilling to accept any more Child SAs on this IKE SA. This
> notification can also be used to reject IKE SA rekey. Some minimal
> implementations may only accept a single Child SA setup in the
> context of an initial IKE exchange and reject any subsequent attempts
> to add more.
Usually if an implementation sends NO_ADDITIONAL_SAs, it either does not
want to have more CHILD_SAs on a single IKE_SA, or it does not support
the creation and rekeying of CHILD_SAs outside of IKE_AUTH.
Of course our behavior could be changed, but I really see no reason why
we should do so.
More information about the Users