Paul Hoffman writes: > It was pointed out that (a) this is a new MUST and
Yes, but it can mostly be already deducted from the requirement that end node cannot violate its own policy, meaning it needs to delete Child SA which are not following his policy. If that is already done, there is no point for the new SA having narrower scope than old SA had, and making this MUST makes it simplier for implementations (i.e. they do not need to think what to do for the traffic which do not fit the rekeyed SA, and we do not need to add the traffic selectors from the packet parts). > (b) this also > assumes that the encryption algorithm and so on will be the same. No it does not. I do not see any text there saying anything about encryption algorithms. Those are negotiated as normally and again if policy has been changed so that the original algorithms are not valid anymore, then the child SA should have been deleted already. There are cases where intiator can only propose subset of algorithms it itself finds acceptable, but that will simply result in NO_PROPOSAL_CHOSEN failure, if other end does not accept any of the algorithms initiator offered. > So, how does the WG want to proceed here? I do not think we need to do anything more than what is already done here. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec