[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rekeying in IKEv2: optional or mandatory?

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Rekeying in IKEv2: optional or mandatory?
From: Charlie_Kaufman@notesdev.ibm.com
Date: Wed, 7 May 2003 22:37:14 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p0521061cbad8b323b76a@[63.202.92.152]>
Sender: owner-ipsec@lists.tislabs.com





> Hi again. In section 2.8 of draft -07, it talks about MUSTs and
> SHOULDs in rekeying. However, later in the document it says that
> the ability to rekey is optional. This is pretty confusing.
>
> Personally, I think that rekeying should be optional, but it is
> clear that folks haven't read this too carefully and this needs
> to be cleared up before we finish.

This was my error. My intent was that a minimal implementation
need not support the CREATE_CHILD_SA exchange at all. That the
initial exchange sets up an IKE SA and an ESP SA and that the
only thing the IKE SA can subsequently be used for is
keepalives. In that case, if either SA expires (based on time
or data), the end discovering the expiration closes the IKE SA
and starts over.

This behavior is less efficient, but easier to code and debug
(it has fewer states in its state machine).

In most places, the language of the draft makes clear that this
behavior is allowable, but I missed it in 2.8, making the
document internally inconsistent.

Would anyone object to my adding it?

      --Charlie

References:
- Rekeying in IKEv2: optional or mandatory?
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: How to support vendor in dpd?
Next by Date: Re: Vendor IDs and reserved values
Prev by thread: Rekeying in IKEv2: optional or mandatory?
Next by thread: Re: Peer liveliness
Index(es):
- Date
- Thread