I agree. This was also noted in
http://www.rfc-editor.org/errata_search.php?rfc=4718
Best regards,
Pasi
(not wearing any hats)
> -Original Message-
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
> Of ext Paul Hoffman
> Sent: 17 January, 2010 18:07
> To: IPsecme WG
> Subject: [IPsec] Issue #135: Which IKE SA inherits a Child SA?
>
> Section 2.8.2 seems to have quite fatal error:
>
> The new IKE SA containing the lowest nonce inherits the Child
> SAs.
>
> This is wrong. The one containing the lowest nonce, is the one that is
> going to be deleted, not the one that survives. This needs to be
> changed to:
>
> The new IKE SA containing the lowest nonce SHOULD be deleted by the
> node that created it and the other suriving new IKE SA MUST inherit all
> the Child SAs.
>
> Note, that I used words MUST here as this is one of the few cases where
> the correct behavior is really needed for interoperability reasons. It
> is not needed for simultaneous Child SA cases, as traffic continues to
> flow, even if they do not delete the loosing Child SA (we just have one
> extra Child SA). In this case it is important for the interoprability
> that both ends AGREE on which new IKE SA inherited the Child SAs from
> the old IKE SA. If they disagree then all IKE SAs are messed up and
> future rekeys, deletes etc will fail. Deleting the loosing IKE SA is
> not necessarely needed for interoperability so thats why that is SHOULD
> (just like it is in the child SA case), but moving Child SAs to correct
> IKE SA is MUST.
>
> --Paul Hoffman, Director
> --VPN Consortium
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
