[Openswan Users] Duplicate ESP SAs being created

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> I guess what I'm wondering is why the system retains the
    >> duplicate ESP SA in the SADB, I thought it would delete the old
    >> SA once the new SA was established and became active.  This is a
    >> similar situation to rekeying an existing SA where for a period
    >> of time there are two SAs, but once the new SA becomes active the
    >> old SA is deleted.

    Paul> Normally, ESP SA's are kept, because data might come in,
    Paul> despite a new SA having been established. I am not sure how
    Paul> KLIPS and NETKEY behave differently in this respect. Michael?

  Well, we have no way to tell netkey which SA to use for outgoing data.

  Yes, we can delete one outgoing one, once we realize that we have a
duplicate, but it can in fact be difficult to know that there is in fact
a duplicate. So, we don't worry about it, and just let it expire.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRcP0VYCLcPvd0N1lAQL4Kwf9Erz9BnUm1zZb6EoDg//zu48C+bOKKPVr
A6j50xNZyjYudwj1YYfquckv4jW1OTa3qQH9JdjwM3wyyEHR7PdUP0NVy1VQA0qv
dGiST2VnVp0/U+Nxia1YrqCKvpgDKkrQ91K3Q2UytkHJ8Nok1EK6tbRDBX8YjChP
PcNVPgC/zLLX+pwPE9eoIYbS81DX3+4iz8ys0Dv4LmaKhZFBN2YX8cVmYIWmchRK
CmZUV2ixB1BVYvmnABbUytgRtRhCQeg+thYIRdg7VtO3wQ8jkgJsQjs16jPe8Zwx
cFdVK5UZ2PGNn9YaNJVeA8NJEYXyocVruflK6QLppanWLZk8Pxq5pA==
=zrbg
-----END PGP SIGNATURE-----