[IPsec] Question about deleting a half-open child SA

[Tero Kivinen <kivinen at iki.fi>]

Keith Welter writes:
> Suppose the initiator sends an SA payload that contains both an AH and ESP 
> proposal.  Before receiving the response, the initiator decides to close 
> the half-open child SA.  I assume that the informational request should 
> include two delete payloads, one for AH and one for ESP.  Is that correct?

There is no really working method to delete the SA until it is
created, i.e. you cannot delete half open SAs. Even if you send delete
notifications, it might be possible that the responder has not yet
seen the SA creation packet, thus delete SA would refer to unknown
SPIs, and responder would reply with error to both of them.

The best is simply wait for the SA negotiation to finish and delete it
after that. This is anyways required if the other end only supports
window size of 1, as you cannot send delete notifacation before you
get reply back to your create child SA exchange.

> Related to that question, I don't see a requirement that all proposals in 
> an SA payload have the same SPI.  So, in this example, it would be 
> permissible for the AH and ESP proposals to have different SPIs.  Is that 
> correct?

Yes. The SPIs does not need to be same. There might be for example
some implementation which could even allocate the SPIs for different
protocols on different ranges. 
-- 
kivinen at safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec