[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues - #64

To: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>
Subject: Re: The remaining IKEv2 issues - #64
From: Charlie_Kaufman@notesdev.ibm.com
Date: Tue, 19 Aug 2003 21:21:05 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3F4135CF.6030106@creeksidenet.com>
Sender: owner-ipsec@lists.tislabs.com

jpickering@creeksidenet.com wrote:
> I must have missed the resolution on issue 64, can someone remind me of
> the resolution
> and rationale?

The issue was that people were concerned about how an implementation could
know which SA was being rekeyed when a rekey request arrived. In the past,
I had assumed that they would know because the traffic selectors would
match the traffic selectors on the replaced SA. But recent discussions have
allowed for the possibility of multiple SAs with the same traffic selectors
for playing games with QOS and such.

The proposed solution was to include the SPI of the rekeyed SA in the
request to create a new SA, so there would be no ambiguity. It might also
help with the race conditions that can produce duplicate SAs and the
"continuity across rekeying" issue raised by Nicolas Williams. I added an
additional field to the Create_Child_SA exchange to carry the SPI.

      --Charlie

References:
- Re: The remaining IKEv2 issues
  - From: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread