Paul Wouters writes: > Has anyone done support for SCTP in IKEv2 ? (or even in IKEv1?) > > If so, how are the SA's negotiated? a matrix of src/dst addresses > as seperate CREATE_CHILD_SA's ? Or multiple traffic selector payloads > in a single CHILD SA? > > It seems IKEv1 ID_LIST is not present in IKEv2 anymore?
There is no need for ID_LIST, as traffic selector payload can have multiple traffic selectors in it, similarly what ID_LIST did. I.e., you can have each ip-addresses as separate traffic selector in traffic selector payload and create one Child SA for SCTP. If you need to add more addresses later, you can rekey the Child SA and add more traffic selectors to the same Child SA. You cannot remove IP-address in this way as section 2.9.2 says you MUST NOT propose narrower selectors when rekeying, so in that case you need to create new Child SA, and remove old one. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
