[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Rekeying of child SA in IKEv2

Hi all,

In draft-ietf-ipsec-ikev2-14.txt, section 2.8 Rekeying, it contains the following information:

To allow for minimal IPsec implementations, the ability to rekey SAs
   without restarting the entire IKE_SA is optional. An implementation
   MAY refuse all CREATE_CHILD_SA requests within an IKE_SA. If an SA
   has expired or is about to expire and rekeying attempts using the
   mechanisms described here fail, an implementation MUST close the
   IKE_SA and any associated CHILD_SAs and then MAY start new ones.
   Implementations SHOULD support in place rekeying of SAs, since doing
   so offers better performance and is likely to reduce the number of
   packets lost during the transition.

May I know the reason behind this. Why the CREATE_CHAILD_SA exchange made as optional.

There may be some issues regarding this.

Suppose, I configured PFS in IPSEC as DH MODP2048, and DH group in IKE as MODP1536.

In IKE_SA_INIT exchange, only one KE payload is negotiated for shared secret used in IKE (MODP1536) to generate the key material.

May I know in detail how can I use PFS configured in IPSEC by not using CREATE_CHILD_SA exchange??

My understanding is that if we configure the PFS in IPSEC, we create IKE SAs using IKE_SA_INIT exchange and we create CHILD SAs using CREATE_CHILD_SA exchange.

I think, what I understood might be wrong. Please clarify.

Many thanks in advance,
Jyothi



 
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec