[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A question about re-keying

To: Sashidhar Annaluru <avs@lucent.com>
Subject: A question about re-keying
From: Tero Kivinen <kivinen@ssh.fi>
Date: Tue, 2 Feb 1999 01:43:06 +0200 (EET)
Cc: ipsec@tis.com
In-Reply-To: <36B34971.C76F50E1@lucent.com>
Organization: SSH Communications Security Oy
References: <36B34971.C76F50E1@lucent.com>
Sender: owner-ipsec@ex.tis.com

Sashidhar Annaluru writes:
> 1. Can any peer initiate re-keying?

Yes. 

> Or is there any restriction saying that only the initiator of first
> session can initiate subsequent pahse2 re-keying?

No, there is no restriction like that. 

> 2. If there is no such restriction, then I have some confusions
> about the Proxy IDs of phase2.
> 
> Consider the following scenario:
> 
>   Initial IKE is done between I1 and R1, where I1 is the initiator
> and R1 is the responder. For this session I1 sets the ProxyIDs IDci1
> and IDcr1 for phase2, where IDci1 is initiator's ProxyID and IDcr1
> is the responder's.
> 
>  Now if R1 initiates the re-keying of phse2, then what should it send in
> ProxyIDs and how?
> 
>      (a)Should it send, the same Proxy IDs IDci1 and IDcr1? or
>      (b)Should it swap those two and send IDcr1 as the initiator
> proxyID (IDci2) and IDci1 as the responder ProxyID (IDcr2)?

It must swap those. Rekey initiator sends first its own proxy ID and
then the remote ends proxy ID. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

A question about re-keying

From: Sashidhar Annaluru <avs@lucent.com>

Prev by Date: Re: transport-friendly ESP
Next by Date: Question about mis-match SA lifetimes
Prev by thread: A question about re-keying
Next by thread: Re: transport-friendly ESP
Index(es):
- Main
- Thread