[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE_SA SPI with a changed address

derenale@polito.it wrote on 05/27/2003 09:38:55 AM:
> what would happen in IKEv2 if the  Initiator and Responder change their
> IP adresses after have established an IKE_SA?

The current spec is intentionally vague on this issue. The short answer is that most likely the IKE_SA would fail. There is certainly nothing in the spec that would require implementations to do anything that would ever allow this to work. There have been a number of proposals to enhance the protocol to make it possible for IPsec endpoints to change IP addresses and maintain an established SA (in support of both NATs and Mobile IP). All have problems, mostly because different scenarios require different approaches.

I expect this will be an area of continued experimentation followed eventually by standardization. The current spec is vague to allow that experimentation.