Doubt regarding key_do_allocsa_policy in ipsec path

VANHULLEBUS Yvan vanhu at FreeBSD.org
Thu Nov 3 13:27:46 UTC 2011 

On Thu, Nov 03, 2011 at 11:46:41AM +0530, Reji Thomas wrote:
> Hi,

Hi.


> The key_do_allocsa_policy searches and deletes the non preferred sas if
> there are multiple sas that match the search parameters . I see that if
> there are multiple sas of same parameters established between end points,
> this end up in deletion of all "outbound sa" but the preferred sa.

Yes.


> Since
> the deletion occurs only on the outbound sa, this ends up in a scenario
> where the corresponding inbound ipsec sas gets unpaired and not cleaned up
> particularly when the ike daemon doesnt send a delete notification of sa to
> the other peer. ( racoon2 ikev1 doesnt seem to do this).

Yep, some peers may generate that situation.


> In such a scenario, what should be the proper thing to do?.

Nothing :-)
To be more exact: just wait until the lifetime of the old SA
expires.....



> 1. Make sure that a delete notification is sent by the iked so that the
> peers can cleanup the unpaired sa.

You can make sure you sent a DELETE_SA, but you can't be sure peer
received it and correctly handled it.

And if you're takling about sending a DELETE_SA for your inbound
SA..... yes, you could do that, but why ?
And what will you do if your peer doesn't get/handle the DELETE_SA and
continue using the old SA for it's outgoing packets ?


> 2. Since ipsec sas are always paired, should we delete the unpaired sa in
> the kernel  at the same time?

In the real world, almost all SAs are "paired" when you negociate
them.

But you can't just consider SAs will always be aired.

For example, if you have "use_oldsa == 0" and your peer have
"use_oldsa == 1" (or whatever else which will generate a similar
result), you're right when you decide to delete your outbound SA,
because you are sure that you won't use it again, but your peer will
still use it's old outbound SA, which is your old inbount SA.



The only situation I see where this may become a real issue is if you
start negociating with no lifetime, but only lifebyte.... just forget
that kind of situation, it will lead you to other issues !



Yvan.

More information about the freebsd-net mailing list