[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Rekeying of child SA in IKEv2
Hi all,
In draft-ietf-ipsec-ikev2-14.txt,
section 2.8 Rekeying, it contains the following information:
To allow for minimal IPsec implementations, the ability to rekey
SAs
without restarting the entire IKE_SA is optional. An
implementation
MAY refuse all CREATE_CHILD_SA requests within an IKE_SA. If
an SA
has expired or is about to expire and rekeying attempts
using the
mechanisms described here fail, an implementation MUST close
the
IKE_SA and any associated CHILD_SAs and then MAY start new
ones.
Implementations SHOULD support in place rekeying of SAs,
since doing
so offers better performance and is likely to reduce the
number of
packets lost during the transition.
May I know the reason behind this. Why the CREATE_CHAILD_SA exchange made
as optional.
There may be some issues regarding this.
Suppose, I configured PFS in IPSEC as DH MODP2048, and DH group in IKE as
MODP1536.
In IKE_SA_INIT exchange, only one KE payload is negotiated for shared
secret used in IKE (MODP1536) to generate the key material.
May I know in detail how can I use PFS configured in IPSEC by not using
CREATE_CHILD_SA exchange??
My understanding is that if we configure the PFS in IPSEC, we create IKE
SAs using IKE_SA_INIT exchange and we create CHILD SAs using
CREATE_CHILD_SA exchange.
I think, what I understood might be wrong. Please clarify.
Many thanks in advance,
Jyothi
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec