Hi,
I have some comments concerning the draft.
1. As far as I understand, only one data channel can be created
within one IKE SA. So, if application needs several different channels,
it have to create several separate IKE SAs, performing authentication
several times (probably involving human activity, if EAP is used).
This is makes the whole architecture not so lightweight.
2. Nothing is said abouth channel deletion. I presume it exists
untill IKE SA is deleted, right?
3. Could this IKE SA be used for other purposes,
for example to create Child SAs as usual,
or it must be explicitely dedicated to IKE Data channel?
4. In Section 8.1 in description of Protocol ID:
according to RFC5996 this field MUST be zero
if SPI Size field is zero.
Regards,
Valery Smyslov.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec