I would actually rather remove the "MUST NOT unilaterally close them" and replace it with "may unilaterally close them".
But wait, there's something weird here. >From the PoV of any implementation, the SA pair is one inbound SA and one >outbound SA. When you send a DELETE, you send it for the INBOUND SA. So I was >wrong - it's outbound SAs that you accumulate. If the peer does not close the >other end, you are left with a half-closed SA - just an outbound SA. Surely >closing that is easy - you just don't use it any more, so you might as well >delete it from your database - no leak on your end, and the minimal >implementation should take care of itself. So what's this text about "MAY refuse to accept incoming data"? There is no incoming data unless your peer misunderstood your DELETE payload. An INVALID_SPI notification might set them straight. On Dec 16, 2009, at 12:15 AM, Yaron Sheffer wrote: > This seems to prove that no such "minimal implementations" exist, because > they would leak memory like crazy. So we could simply say that INFORMATIONAL > messages containing DELETE payloads are an exception to the "you may return > an empty INFORMATIONAL" rule. > > Thanks, > Yaron > > ________________________________________ > From: ipsec-boun...@ietf.org [ipsec-boun...@ietf.org] On Behalf Of Yoav Nir > [y...@checkpoint.com] > Sent: Wednesday, December 16, 2009 12:01 AM > To: Paul Hoffman; IPsecme WG > Subject: Re: [IPsec] Issue #128: Can implementations not reply fully to > Deletes? > > Section 1.4.1 also says: > > "A node MAY refuse to accept incoming data on half-closed > connections but MUST NOT unilaterally close them and reuse the SPIs." > > So if your peer is only responding with empty INFORMATIONAL responses to your > deletes, you're going to accumulate more and more stale inbound SAs. One of > these statements has to go. > ________________________________________ > From: ipsec-boun...@ietf.org [ipsec-boun...@ietf.org] On Behalf Of Paul > Hoffman [paul.hoff...@vpnc.org] > Sent: Tuesday, December 15, 2009 20:55 > To: IPsecme WG > Subject: [IPsec] Issue #128: Can implementations not reply fully to Deletes? > > Section 1.4.1 says: Normally, the reply in the INFORMATIONAL exchange will > contain delete payloads for the paired SAs going in the other direction. > There is one exception. If by chance both ends of a set of SAs independently > decide to close them, each may send a delete payload and the two requests may > cross in the network. > > But, Section 4 (conformance requirements), says: Every implementation MUST be > capable of responding to an INFORMATIONAL exchange, but a minimal > implementation MAY respond to any INFORMATIONAL message with an empty > INFORMATIONAL reply. > > What should we do? Changing the conformance requirement is pretty serious, > but not telling the other side that you understand the Delete is also serious. > > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
