[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Text suggestion on computing keymat for rekey

To: ipsec@lists.tislabs.com
Subject: Text suggestion on computing keymat for rekey
From: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>
Date: Tue, 25 Mar 2003 13:24:15 -0500
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0



To compute keymat for any SA, both sides need to agree on which side is 
initiator.
While this is obvious for new SAs, the text is unclear about rekeys,  eg 
if  the original
responder is the initiator of a rekey, which end is considered initiator 
of the of the
new SA for puposes of computing keymat? After some SF hallway 
discussions, the
general impression I got was that there is some value to keeping the 
original initiator
as initiator of the rekeyed SA, (ie for management purposes this 
approach doesnt allow
a rekey to hide which end was original initiator). As such, I propose 
adding the
following text to the end of section 2.8:

"For purposes of computing keying material for the rekeyed SA, the 
original initiator
of the SA is to be considered initiator of the rekeyed SA."

Jeff

Follow-Ups:
- Re: Text suggestion on computing keymat for rekey
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: me tarzan- me jane suggested text change
Next by Date: Re: Text suggestion on computing keymat for rekey
Prev by thread: Re: me tarzan- me jane suggested text change
Next by thread: Re: Text suggestion on computing keymat for rekey
Index(es):
- Date
- Thread