3.1.7.3 IPSec Policy Change

Upon policy change, the Authenticated Internet Protocol MUST revalidate all SAs against the new policy, delete SAs that do not match the new policy, and send a delete notification to the peer for each such SA (section 2.2.3.5).

This delete notification packet MUST be constructed as follows:

• HDR: The ISAKMP header MUST be identical to the IKE Informational packet, as specified in [RFC2409] section 5.7, and the exchange type MUST be 246 (NOTIFY exchange type).

• Notify (Status): This notify MUST have the RELIABLE_NOTIFY_FLAG, as specified in section 2.2.3.5, set to TRUE.