Paul Hoffman writes: > XX In section 2.8 the sentence: > > Note that, when > rekeying, the new Child SA SHOULD NOT have different traffic > selectors and algorithms than the old one. > > is in wrong place, it is after the paragraph talking about IKE SA rekey, > it should be moved to the previous paragraph talking about Child SA > rekeying. > > [[ Response: It looks like the sentence is, in fact, in the right > place. The whole paragraph reads: "To rekey a Child SA within an > existing IKE SA, create a new, equivalent SA (see Section 2.17 > below), and when the new one is established, delete the old one. > Note that, when rekeying, the new Child SA SHOULD NOT have different > traffic selectors and algorithms than the old one." That is, indeed, > talking about rekeying a Child SA. ]]
That text you quoted is not from the draft-ietf-ipsecme-ikev2bis-06.txt, so I assume you have already fixed this bug. The text from draft-ietf-ipsecme-ikev2bis-06 says: To rekey a Child SA within an existing IKE SA, create a new, equivalent SA (see Section 2.17 below), and when the new one is established, delete the old one. To rekey an IKE SA, establish a new equivalent IKE SA (see Section 2.18 below) with the peer to whom the old IKE SA is shared using a CREATE_CHILD_SA within the existing IKE SA. An IKE SA so created inherits all of the original IKE SA's Child SAs, and the new IKE SA is used for all control messages needed to maintain those Child SAs. After the new equivalent IKE SA is created, the initiator deletes the old IKE SA, and the Delete payload to delete itself MUST be the last request sent over the old IKE SA. Note that, when rekeying, the new Child SA SHOULD NOT have different traffic selectors and algorithms than the old one. and here you can see that the last sentence of the last paragraph is in wrong place. I assume you have already moved the sentence to the end of previous paragraph earlier. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
