[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Deleting SAs
Questions on draft-ietf-ipsec-ikev2-03.txt section 3.3
The 6th paragraph describes the process of deleting SAs
and has some confusing text. Is my understanding correct?
- A node that initiates a delete request places into
delete payloads the SPIs for its incoming SAs.
- A node that receives a delete request would close the
outgoing SAs that correspond to the SPIs received in
the delete payloads. Additionally, it would respond by
placing into delete payloads the SPIs for its paired
incoming SAs.
- If by chance the delete requests for two nodes pass
in transit then the responses do not contain any delete
payloads. In other words, an SPI for a given SA must not
appear in more than one delete payload.
The 7th paragraph describes half-open connections where
"A node MAY refuse to accept incoming data on half open
connections but MUST NOT...".
Since a node that initiates a delete request is deleting
its incoming SA, it is not possible to have a half open
connection where the outgoing SA is closed but the
incoming is still active.
David