On Oct 30, 2013, at 9:23 AM, Valery Smyslov <sva...@gmail.com> wrote:
> Hi Yoav, > >> Third version of this draft, now including Tero's comments. > > some comments on new version. > > First, some stuff seems to be left from previous version, which > supposed that new IKE SPIs are sent in both directions: > - third bullet in Section 2.2 > - figure 2 in Section 3 Right. Will fix. > Then, there is a related issue with re-authentication. > Your draft says, that re-authentication is done as part of a risk management > policy. Usually it is a security gateway, that enforces such a policy. > The problem is, that with EAP authentication, gateway cannot > initiate re-authentication. The only thing it can do - delete existing > IKE SA in hope, that client will reestablich it anew. And with > this behaviour you draft becomes much less useful. > > I think, that it could be solved, if we define new notification, > that could be optionally sent from gateway to client, informing him > that gateway is going to delete IKE SA in some time > interval (indicating that interval in the notification). > If cafr is supported by client and he is willing to use it, > client will start re-authentication before the end of > the interval. If not - gateway will just delete IKE SA > after the interval has ended. Good idea! :-) http://tools.ietf.org/html/rfc4478 Think I should mention that in the draft? Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec