Scott C Moonen writes: > > > > We've interpreted it as follows: 1) the old IKE SA's PRF is used to > > > > produce SKEYSEED, but 2) the new IKE SA's PRF is used to produce > SK_x. > > > > > >Hmm... when reading my code, it seems I do the same, but when I read > > >the text I interpreted it differently, so I think we need some > > >clarification text there... > > > > Can either of you propose the new text? > > Here's a first shot. I think we can move the paragraph later on (starting > with "SK_d, ...") adjacent to this paragraph to produce: > > The old and new IKE SA may have selected a different PRF. Because > the rekeying exchange belongs to the old IKE SA, it is the old IKE > SA's PRF that is used to generate SKEYSEED. > > SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as > specified in Section 2.14, using SPIi, SPIr, Ni, and Nr from the new > exchange, and using the new IKE SA's PRF.
That looks good. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
