The primary use case for XFRM_MSG_UPDSA
(ip xfrm state update
) is to update an inbound SA for which only an SPI has been allocated via XFRM_MSG_ALLOCSPI
. The latter can be replicated with ip xfrm state allocspi
:
Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]
[ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
When using IKE, this is necessary as the SPI is required before the algorithms and keys are negotiated with the peer. Afterwards, this temporary state can be updated once with all the missing information, including algorithms and keys.
However, for states added with XFRM_MSG_NEWSA
(ip xfrm state add
), which is e.g. the case for outbound SAs for which no SPI is allocated locally, or those that were updated once, the kernel only allows very specific information to be changed. As of writing this (i.e. kernel version 6.3/6.4), this includes:
- the ports for UDP encapsulation (but not whether encapsulation is used or the IPs)
- the MIPv6 care-of address (if any)
- the lifetimes
- the XFRM interface ID
- the mark set by the SA on processed packets
But it's not possible to change fundamental information like the algorithms or the keys for such SAs.