Hello,
When rekeying an IKE SA, the traffic from the old (expiring) SA has to be
moved to the new (rekeyed) SA. How does this go about? Are equivalent Child
SAs created for the rekeyed IKE SA created and the ones in the old IKE SA
deleted (by deleting the IKE SA), or is all data of the Child SA (SPIs, keys
etc) copied as-is to the new SA.
As a visual example:
IKE SA A - Expiring IKE SA B - Rekeyed
One Child SA New Child SA
SPI (incoming) 0x12345678 SPI (incoming) 0xABCDEFAB
Protocol AH Protocol AH
Same cryptographic
suite as A's Child SA
or
IKE SA A - Expiring IKE SA B - Rekeyed
One Child SA Copy if Child SA from A
SPI (incoming) 0x12345678 SPI (incoming) 0x12345678
Protocol AH Protocol AH
Same cryptographic
suite as A's Child SA (copied)
>From section 2.8, "inherits Child SAs" seems to refer to the second case
(copying) but I would like to be 100% sure that this is the case.
Thanks for clarifications.
Regards,
Matthew
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
