I am working on a C++ project where it is necessary to establish IPsec SAs with ESP and rapidly change the encryption key. My question is the following:
Is there a way to update encryption IPsec keys without deleting the corresponding SA and creating a new one?
Does IPsec even allow this? I've found nothing about this issue in RFC4301...
I'm using Netlink/XFRM messages to alter the SAD. I've tried to use NLM_F_REPLACE in the Netlink message flags and XFRM_MSG_UPDSA as message type but these messages had simply no effect. I've seen XFRM_MSG_UPDSA being used to complete SAs initiated by XFRM_MSG_ALLOCSPI messages.
Is this the only purpose for XFRM_MSG_UPDSA-type messages or may I use them somehow to alter encryption keys?
As the keys have to change rapidly (as stated above), performance is a factor. Therefore I want to strain my system with the smallest amount of administrative IPsec (=Netlink/XFRM) operations as possible.
