Re: Deletion of SA

["Scott G. Kelly" <skelly@redcreek.com>]

K SrinivasRao wrote:
<snip...>
> Since an SA is uniquely identified only by the triple (SPI, DestAddr, IPSEC
> Protocol), when we send only the SPI value in the delete payload, it does
> not determine the SA uniquely. We can get the destination address from the
> datagram (extracting the sender and receiver from the delete payload
> datagram) but we do not know the IPSEC protocol. 

Actually, we do know the protocol, as it is part of the payload, which
consists of DOI, Protocol-Id, SPI size, and number of SPI's.

> Thus, if we have more than
> one SA between the same two hosts with different protections, we might have
> identical SPI values for the SAs (this does not violate the uniqueness
> requirement). So, how do we determine which SA to delete?
> 
Yes, this is the question I'm asking.

> Also, since a single ISAKMP negotiation results in 2 SAs - one outgoing and
> the other incoming - we should be deleting both the SAs of this pair in
> both H1 and H2 (I think)?

Again, this is a question, but it's not very clear what the answer
should be. The problem, as noted above, is that the SA is identified by
the triple: (SPI, Protocol, and DestIP). When you receive the delete
payload, which address do you use for DestIP? And assuming we decide to
use the source of the payload for DestIP w.r.t. one of the SPI's, and
the target of the payload for DestIP w.r.t. another SPI in the payload,
which SPI is which?