Hello, When rekeying an IKE SA, the traffic from the old (expiring) SA has to be moved to the new (rekeyed) SA. How does this go about? Are equivalent Child SAs created for the rekeyed IKE SA created and the ones in the old IKE SA deleted (by deleting the IKE SA), or is all data of the Child SA (SPIs, keys etc) copied as-is to the new SA.
As a visual example: IKE SA A - Expiring IKE SA B - Rekeyed One Child SA New Child SA SPI (incoming) 0x12345678 SPI (incoming) 0xABCDEFAB Protocol AH Protocol AH Same cryptographic suite as A's Child SA or IKE SA A - Expiring IKE SA B - Rekeyed One Child SA Copy if Child SA from A SPI (incoming) 0x12345678 SPI (incoming) 0x12345678 Protocol AH Protocol AH Same cryptographic suite as A's Child SA (copied) >From section 2.8, "inherits Child SAs" seems to refer to the second case (copying) but I would like to be 100% sure that this is the case. Thanks for clarifications. Regards, Matthew
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec