From owner-freebsd-net@FreeBSD.ORG  Thu Nov  3 06:47:28 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 29AC2106566C
	for <freebsd-net@freebsd.org>; Thu,  3 Nov 2011 06:47:28 +0000 (UTC)
	(envelope-from rejithomas.d@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id B08B78FC13
	for <freebsd-net@freebsd.org>; Thu,  3 Nov 2011 06:47:27 +0000 (UTC)
Received: by bkbzs2 with SMTP id zs2so1123002bkb.13
	for <freebsd-net@freebsd.org>; Wed, 02 Nov 2011 23:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=iRg9+q8HUFZil40+fyLdY2Ohnh+oUmDrzrTyLOs8iSU=;
	b=Qrs0w53X2Q4Al1UUGqQEE8D1iL+DvR3RzPf6WOT4sN6VARDdQ5/0MJreiAMK6jPcG/
	rNYkcwKgsmruObiomdEiEV17DtenVEacE3BYBPNSux1I35ubOwH3GAK9159vsAc8smez
	SPQzo9TFf4vGUlS8Rartw766/u/VawWEA2tr0=
MIME-Version: 1.0
Received: by 10.204.136.152 with SMTP id r24mr6595233bkt.5.1320301001685; Wed,
	02 Nov 2011 23:16:41 -0700 (PDT)
Received: by 10.204.51.135 with HTTP; Wed, 2 Nov 2011 23:16:41 -0700 (PDT)
Date: Thu, 3 Nov 2011 11:46:41 +0530
Message-ID: <CAA8Zg7FvmEeG6KHSe_LRPWd=RpAfNO1aV=K96kCFppEpG4Qgxw@mail.gmail.com>
From: Reji Thomas <rejithomas.d@gmail.com>
To: freebsd-net@freebsd.org
X-Mailman-Approved-At: Thu, 03 Nov 2011 11:44:26 +0000
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Doubt regarding key_do_allocsa_policy in ipsec path
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 06:47:28 -0000

Hi,

The key_do_allocsa_policy searches and deletes the non preferred sas if
there are multiple sas that match the search parameters . I see that if
there are multiple sas of same parameters established between end points,
this end up in deletion of all "outbound sa" but the preferred sa. Since
the deletion occurs only on the outbound sa, this ends up in a scenario
where the corresponding inbound ipsec sas gets unpaired and not cleaned up
particularly when the ike daemon doesnt send a delete notification of sa to
the other peer. ( racoon2 ikev1 doesnt seem to do this).

In such a scenario, what should be the proper thing to do?.

1. Make sure that a delete notification is sent by the iked so that the
peers can cleanup the unpaired sa.
2. Since ipsec sas are always paired, should we delete the unpaired sa in
the kernel  at the same time?



Thanks
Reji