Re: Deletion of SA

[Daniel Harkins <dharkins@cisco.com>]

Michael Richardson wrote:
> >>>>> "K" == K SrinivasRao <srinu@trinc.com> writes:
>     K> negotiated a new SA and will use that for future
>     K> communications. Should H1 send a delete payload to delete H2's
> 
>   Yes. That should occur as part of the new SA being setup.
>   A question though: is a "delete" too strong here? Perhaps a "please
> delete this SA in X seconds" would be more appropriate? As a notify
> perhaps? That would allow SA's to be negotiated in advance of being
> used, and it also allows the network to drain.
>   Someone tell me that this is already addressed, but I just missed
> that part :-)

  A "delete" is the functional equivalent of a "notify" when used in
this context. They're both transmitted using an Informational exchange
and are therefore completely optional and are not guaranteed to arrive
even if they are sent. 

  As you point out, premature aging really is the way to go. Upon receipt
of the "delete" start the last rites but don't go for the shovel yet.

>     K> negotiation of a new SA to send this packet on. How does H2
>     K> delete the SA it has? By getting a delete payload from H1? Or,
>     K> it expires in the normal way?
>  
>   I think a sender should always try and send a delete payload when it
> removes an outgoing SA.

  It is the nice thing to do. It also prevents eventual problems from
arising since if it isn't sent you run the risk of having the peer 
start using that SA and causing "Invalid SPI received" messages.

  Also, if a "delete" is never received but the peer has initiated
negotiation for identical SAs the prudent thing to do is to prematurely
age the older SAs and start using the new ones as soon as possible.

  Dan.