One of the differences between RFC 5996 and 4306 is in the rekeying where it's stated in RFC 5996 section 2.8:
"Note that, when rekeying, the new Child SA SHOULD NOT have different Traffic Selectors and algorithms than the old one." Additionally in section 1.3.3 (that also addresses rekeying) of the same RFC, it's stated: "The Traffic Selectors for traffic to be sent on that SA are specified in the TS payloads in the response, which may be a subset of what the initiator of the Child SA proposed." I think these sentences leaves some room for interpretation what the create child sa request message can contain in the rekeying scenario. When a node initiates rekeying of a child sa using the create child sa message exchange, which traffic selectors is it allowed to include in the create child sa request? Does it have to be identical to the negotiated traffic selector from the old child sa (i.e. the traffic selector received in the original create child sa response for the sa) or can it for example be the same traffic selectors as originally proposed in the create child sa request for the old child sa..? There is a strange sentence related to this topic in section 1.7 " Significant Differences between RFC 4306 and This document" related to this topic: "The new Section 2.9.2 covers Traffic Selectors in rekeying." but there does not seem to be a chapter 2.9.2 in the document ?! Is this an editorial mistake or something missing? As the RFC has similar statement for the negotiated algorithms (i.e. encryption, integrity), the same question pops up there.. I.e. should it in the create child sa request only include the algorithms used by the old child sa or can it include all algorithms originally proposed... Regards Pål
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec