[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE_SA SPI with a changed address

To: derenale@polito.it
Subject: Re: IKE_SA SPI with a changed address
From: Charlie_Kaufman@notesdev.ibm.com
Date: Sat, 31 May 2003 19:50:31 -0400
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com
In-Reply-To: <3ED36A6F.5010309@polito.it>
Sender: owner-ipsec@lists.tislabs.com

derenale@polito.it wrote on 05/27/2003 09:38:55 AM: > what would happen in IKEv2 if the Initiator and Responder change their > IP adresses after have established an IKE_SA?
The current spec is intentionally vague on this issue. The short answer is that most likely the IKE_SA would fail. There is certainly nothing in the spec that would require implementations to do anything that would ever allow this to work. There have been a number of proposals to enhance the protocol to make it possible for IPsec endpoints to change IP addresses and maintain an established SA (in support of both NATs and Mobile IP). All have problems, mostly because different scenarios require different approaches.

I expect this will be an area of continued experimentation followed eventually by standardization. The current spec is vague to allow that experimentation.

--Charlie

Prev by Date: New algorithms and suites drafts
Next by Date: Re: v7 nits
Prev by thread: New algorithms and suites drafts
Next by thread: Re: v7 nits
Index(es):
- Date
- Thread