[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Rekeying of child SA in IKEv2
Jyothi writes:
> May I know the reason behind this. Why the CREATE_CHAILD_SA exchange made
> as optional.
To allow very tiny implementations.
> Suppose, I configured PFS in IPSEC as DH MODP2048, and DH group in IKE as
> MODP1536.
You cannot use such setup for such clients.
> In IKE_SA_INIT exchange, only one KE payload is negotiated for shared
> secret used in IKE (MODP1536) to generate the key material.
Note, that SAi2, TSi and TSr are not optional in the IKE_AUTH
exchange, so for that kind of setup you are creating one extra pair of
IPsec SAs in all cases. If the other end implementation only supports
exactly one SA (very small garage opener device), it will not allow
you to create second SA.
> May I know in detail how can I use PFS configured in IPSEC by not using
> CREATE_CHILD_SA exchange??
You cannot. Why would you want to use that kind of setup. If you want
to have security from the 2048-bit group use it for the IKE SA also.
> My understanding is that if we configure the PFS in IPSEC, we create IKE
> SAs using IKE_SA_INIT exchange and we create CHILD SAs using
> CREATE_CHILD_SA exchange.
No, you always create one IPsec SA along with the IKE_SA_INIT /
IKE_AUTH exchanges, thus for that kind of setups you create 2 sets of
IPsec SAs.
--
kivinen@safenet-inc.com
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec