Re: Deletion of SA

["Scott G. Kelly" <skelly@redcreek.com>]

S. B. Kulkarni wrote:
> 
> Hi Scott,
> 
> I remember you raised the following question in response to my question
> regarding SA deletion. But there was no further discussion on this issue.
> The issue was that, which SA to be deleted when you receive the delete
> payload with multiple SPI.
> 

<trimmed...>

Right. For the entire thread, see 

http://www.sandelman.ottawa.on.ca/ipsec/1998/03/msg00235.html

and follow the thread-next links.

The issue was never resolved, although as a practical matter we decided
(for our products) that you may only delete the incoming SA, and may
send the notify for the outgoing SA as a courtesy.

This dances around a much larger problem, one which is at the root of
several other blossoming issues, not the least is which is the so-called
'rekey collision' problem, where both sides timeout the SA at the same
time and collide while trying to rekey.

This larger problem has to do with the semantic definition of the SA vs.
the actual operational definition as we have implemented it. SA's are,
by definition, unidirectional constructs. As a matter of convenience,
this directional distinction has been blurred and SAs have been linked
into inbound-outbound pairs in our current implementations. This
simplifies parameter negotiation in that we can negotiate a symmetric SA
pair with one exchange group, reducing the overhead associated with SA
instantiation.

On the other hand, this has several drawbacks, not the least of which
are the behavioral ambiguities related to deleting SAs and rekeying.
This is an issue which requires thoughtful exploration. While the
convenience realized from 'bidirectionalizing' the SAs is substantial
(and therefore perhaps justifiable), the ramifications have not been
fully considered. 

I believe this issue is on the agenda for ipsecond. If you have
suggestions for resolution, please post them.