Update IPsec keys using XFRM messages

Question

I am working on a C++ project where it is necessary to establish IPsec SAs with ESP and rapidly change the encryption key. My question is the following:

Is there a way to update encryption IPsec keys without deleting the corresponding SA and creating a new one?

Does IPsec even allow this? I've found nothing about this issue in RFC4301...

I'm using Netlink/XFRM messages to alter the SAD. I've tried to use NLM_F_REPLACE in the Netlink message flags and XFRM_MSG_UPDSA as message type but these messages had simply no effect. I've seen XFRM_MSG_UPDSA being used to complete SAs initiated by XFRM_MSG_ALLOCSPI messages.

Is this the only purpose for XFRM_MSG_UPDSA-type messages or may I use them somehow to alter encryption keys?

As the keys have to change rapidly (as stated above), performance is a factor. Therefore I want to strain my system with the smallest amount of administrative IPsec (=Netlink/XFRM) operations as possible.

Answer 1

I've got an answer from the guys of the strongSwan developers mailing list. Unfortunately it seems that there is in fact no better way. The Linux kernel doesn't update keys on XFRM_MSG_UPDSA (only a few other things) and thus the only possiblity left is to delete an SA and create a new one.