[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: working keys

To: hugo@watson.ibm.com
Subject: Re: working keys
From: Steve Kent <kent@BBN.COM>
Date: Thu, 04 Aug 94 10:20:37 -0400
Cc: ipsec@ans.net
In-Reply-To: Your message of Wed, 03 Aug 94 23:46:05 -0400. <199408040346.AA05047@interlock.ans.net>

Hugo,

	In general, I think the SAID model assumes that an SAID
identifies the session key to be used, along with all of the other
parameters of the SA.  So, under this model, if you change session
keys, you change SAIDs, because the SA parameters have changed.
Changing over from one SA to another is a clean way to change keys, as
it means that any packets processed under the old key are cleanly
identified and, after a "grace period" the old SA can be terminated
and the old keys will go away.  That seems easier than trying to
co-ordinate key changeover within a fixed SA, given that the model we
have for SA management does not assume SA management packets will be
transmitted over the same IP "flow" as the SA packets.

Steve

References:

working keys

From: hugo@watson.ibm.com

Prev by Date: Re: reserving some SAIDs (re: Karn re: dee re: Ran...)
Next by Date: Re: Re[2]: SIPP and SKIP. 2 subjects.
Prev by thread: working keys
Next by thread: Re: working keys
Index(es):
- Main
- Thread