[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CREATE_CHILD_SA exchange in IKEv2-05

To: Dan Harkins <dharkins@trpz.com>
Subject: Re: CREATE_CHILD_SA exchange in IKEv2-05
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sat, 01 Mar 2003 15:15:38 +0100
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 28 Feb 2003 09:12:53 PST. <200302281712.h1SHCrE64086@homebrew.trpz.com>
Sender: owner-ipsec@lists.tislabs.com


 In your previous mail you wrote:

     Towards the end of section 1.3 it says, "Traffic selectors are 
   omitted if this CREATE_CHILD_SA request is being used to change the
   key of the IKE-SA." What about the suite?

=> I don't understand your concern: suites are in the SA payload
as proposals so are NOT optional. So one knows the exchange is
an IKE-SA rekey as soon as it decodes the SA payload.

   Doesn't that determine whether the request is being used to change
   the key of the IKE SA?

=> yes.

   What would happend if the SA specified an ESP suite but there were
   no Traffic Selectors?

=> an error as only the IKE-SA has no traffic selectors.

   Also, can the suite change from one IKE SA to the next?
   
=> I don't believe we have to allow this (suite change).

     Suggested verbage: "When the CREATE_CHILD_SA request is used to
   rekey the IKE SA Traffic Selectors MUST be omitted and the suite
   used to negotiate the IKE SA MUST be the same as that from the
   IKE_SA_INIT exchange that created the SA being rekeyed."
   
=> this seems better than the original wording.

Regards

Francis.Dupont@enst-bretagne.fr

Prev by Date: remove
Next by Date: Re: Another NAT Traversal question
Prev by thread: RE: remove
Next by thread: Re: Another NAT Traversal question
Index(es):
- Date
- Thread