pasi.ero...@nokia.com writes:
Tero Kivinen wrote:
But now Bob cannot meet the requirement new SA MUST NOT be narrower
than the old one, because it would violate his policy.
This depends which happens first, algorithm selection or narrowing. In
most cases the first thing happens
pasi.ero...@nokia.com writes:
I agree that rekeying is currently not very easy to understand. But
e.g. early drafts of ikev2-clarifications (-00 and -01) included some
text wondering about what exactly N(REKEY_SA) means (that is, what is
different when you do/don't include REKEY_SA in
Dan McDonald described a worse case scenario.
It had the advantage that communication that could continue did
continue. It had the disadvantage that the traffic to port 2112
got delayed because we needed the packet contents to get the policy
right. This is bad due to the delay.
It required
At 2:18 PM +0300 4/29/09, Tero Kivinen wrote:
...
In most case I would not expect Bob to create the old SA that way at
all, as it would require it to combine two SPD rules together when
accepting such entry. As the SPD entries are ordered list that would
mean it was combining two entries which
pasi.ero...@nokia.com writes:
Tero Kivinen wrote:
Paul Hoffman writes:
It was pointed out that (a) this is a new MUST and
Yes, but it can mostly be already deducted from the requirement that
end node cannot violate its own policy, meaning it needs to delete
Child SA which are not
Tero Kivinen wrote:
Paul Hoffman writes:
It was pointed out that (a) this is a new MUST and
Yes, but it can mostly be already deducted from the requirement that
end node cannot violate its own policy, meaning it needs to delete
Child SA which are not following his policy. If that is
Paul Hoffman writes:
It was pointed out that (a) this is a new MUST and
Yes, but it can mostly be already deducted from the requirement that
end node cannot violate its own policy, meaning it needs to delete
Child SA which are not following his policy. If that is already done,
there is no point
All,
I'm not sure my opinion counts since Paul called for WG input. In any
event, it seems to me that rekeying a CHILD_SA the way its currently done
seems more like creating a new CHILD_SA, especially since the SA, TSi, TSr,
and the optional N(TRANSPORT_MODE) Payloads are included.
Rekeying a
Greetings again. During discussion with the other authors of IKEv2bis, we
discovered some problems with the proposed resolution to issue #12 about
traffic selectors when rekeying. The text I proposed to put in the document was
this:
-
2.9.2 Traffic Selectors in Rekeying
Rekeying is used to