Michael Richardson writes: > > Let me suggest a situation where perhaps I would like to bring up > an IKE_SA and not a CHILD_SA: it might be for just sending initial > contact, and perhaps even a DELETE. > > I sometimes move quickly from being "outside" my IPsec gateway/firewall > (such as being on wireless), to being wired behind the gateway, where I > do not need IPsec. The DPD doesn't kick off fast enough, and my traffic > goes to where I am no longer. It would be nice to bring up the IKE_SA > (or... haha, resume it), just so that I can send a delete and/or > initial_contact.
Or MOBIKE, and just move tunnel end point to your new location. > Seems like to do this, once needs to include a known-to-be-unacceptable > CHILD_SA proposal. Or just create valid Child SA, and then send delete to IKE SA which will take care of the IKE SA and Child SA. The extra Child SA created there do not really cost anything. The cpu cost will be few symmetric hashing and macin etc, so I do not really consider this worth of one extra mode again. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
