[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE_SA SPI with a changed address
email@example.com wrote on 05/27/2003 09:38:55 AM:
> what would happen in IKEv2 if the Initiator and Responder change
> IP adresses after have established an IKE_SA?
The current spec is intentionally vague on this issue.
The short answer is that most likely the IKE_SA would fail. There is certainly
nothing in the spec that would require implementations to do anything that
would ever allow this to work. There have been a number of proposals to
enhance the protocol to make it possible for IPsec endpoints to change
IP addresses and maintain an established SA (in support of both NATs and
Mobile IP). All have problems, mostly because different scenarios require
I expect this will be an area of continued experimentation
followed eventually by standardization. The current spec is vague to allow