Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey

Thu, 16 Apr 2009 05:58:42 -0700 

I don't know the current status about this.

I would suggest that this could be left as it currently is. When reading the
section about rekeying IKE SAs (1.3.2), it is easily deduced that rekeying
will have the effect of resetting the Message IDs of the SA to 0. Section
2.18 also states this.

Perhaps, having a single paragraph discussing Rekeying of IKE SAs using the
CREATE_CHILD_SA exchange would make understanding the process faster. In
2.2, the reader could be redirected to the new, unified section about
rekeying after the section (2.2) states that Message IDs are reset when
rekeying an IKE SA. Maybe something like:

2.2. Use of Sequence Numbers for Message ID

The Message ID is a 32-bit quantity, which is zero for the IKE_SA_INIT
messages (including retries of the message due to responses such as COOKIE
and INVALID_KE_PAYLOAD), and when an IKE SA is being rekeyed (the new IKE SA
that will take place of the expiring SA MUST have the Message ID set to 0).
For information about rekeying, see section *Rekeying an IKE_SA with
CREATE_CHILD_SA.* The Message ID is then incremened for each subsequent
exchange.

2009/3/11 Joy Latten <lat...@austin.ibm.com>

>
> On Tue, 2009-03-03 at 20:18 +0200, Yaron Sheffer wrote:
> > 2.2. Use of Sequence Numbers for Message ID
> >
> > The Message ID is a 32-bit quantity, which is zero for the IKE_SA_INIT
> > messages (including retries of the message due to responses such as
> > COOKIE and INVALID_KE_PAYLOAD {{ Clarif-2.2 }}), and incremented for
> > each subsequent exchange.
> >
> > Tero:
> >
> > Add text:
> >
> > The Message ID is reset to zero also after IKE SA rekey for the new
> > IKE SA.
> >
> That paragraph has another sentence "Rekeying an IKE SA resets the
> sequence numbers." Perhaps the above and this could be
> combined. Something like:
>
> Rekeying an IKE SA resets the sequence number counter to zero for the
> new IKE SA.
>
> regards,
> Joy
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to