On Mon, 1 Aug 2005, Herbert Xu wrote:
On Sun, Jul 31, 2005 at 09:26:31PM -0700, David S. Miller wrote: BTW, the kernel isn't actually inconsistent if it doesn't switch to the new SA immediately. After all, the old SA is still valid until it expires. In this particular bug report, it's only because the remote end is buggy by deleting the old SA immediately (and silently) that we've got a problem.
RFC 2408 says: "A protocol implementation SHOULD begin using the newly created SA for outbound traffic and SHOULD continue to support incoming traffic on the old SA until it is deleted or until traffic is received under the protection of the newly created SA." - Section 4.3. The problem is the word SHOULD and IMHO both Linux and peer are buggy. Best regards, Krzysztof Olędzki