I'm not so sure about that. The authentication in the IKE_AUTH exchange that follows the resumption only proves that the (new) responder can decipher the ticket (or has access to the ticket database).
Presumably a "cluster" of gateways backing each other up would have the same IDr, but if they're using (for example) IPv4 or IPv6 addresses as IDr, these IDrs could be different. IOW I don't see much security value in mandating that the responder show the same IDr, although I can't think of a really good reason why they would not. ________________________________________ From: ipsec-boun...@ietf.org [ipsec-boun...@ietf.org] On Behalf Of pasi.ero...@nokia.com [pasi.ero...@nokia.com] Sent: Friday, May 29, 2009 21:46 8) The text about handling IDr is very unclear -- certainly the gateway can't start to use some other IDr in the new IKE_SA, without authenticating it? Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec