Subject: Re: bin/28922: racoon leaves old SA's in kernel
To: Kimmo Suominen <>
From: Charles M. Hannum <>
List: netbsd-bugs
Date: 01/10/2005 06:34:29
On Monday 10 January 2005 03:56, Kimmo Suominen wrote:
> On Mon, Jan 10, 2005 at 12:42:38PM +0900, Jun-ichiro itojun Hagino wrote:
> > > >Synopsis:       racoon leaves old SA's in kernel
> >
> >  IPsec/IKE specification does not define how to re-negotiate keys
> >  nor how to use old/new key, and behavior is totally implementation-
> >  dependent.  racoon and netbsd are following guidances in
> >  draft-jenkins-ipsec-rekeying-xx (keep old key and use old key until
> >  old key really expires).
> This seems to result in traffic being discarded by the receiver, which
> no longer has the old keys used by the sender.

Yup.  That's exactly what happens.  It's very irritating.

I've often thought that if we received traffic for an unknown SPI, we should 
kick racoon to start negotiation.