RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Pasi.Eronen@nokia.com Thu, 27 October 2005 10:41 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV5CM-00032X-TC; Thu, 27 Oct 2005 06:41:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV5CK-000304-Mv for ipsec@megatron.ietf.org; Thu, 27 Oct 2005 06:41:28 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA20869 for <ipsec@ietf.org>; Thu, 27 Oct 2005 06:41:12 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-ext03.nokia.com ([131.228.20.95]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EV5Pe-0005vf-4S for ipsec@ietf.org; Thu, 27 Oct 2005 06:55:16 -0400
Received: from esebh107.NOE.Nokia.com (esebh107.ntc.nokia.com [172.21.143.143]) by mgw-ext03.nokia.com (Switch-3.1.7/Switch-3.1.7) with ESMTP id j9RAd1Z8008732; Thu, 27 Oct 2005 13:39:01 +0300
Received: from esebh101.NOE.Nokia.com ([172.21.138.177]) by esebh107.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Oct 2005 13:41:18 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh101.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Oct 2005 13:41:17 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5.7233.31
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Date: Thu, 27 Oct 2005 13:41:20 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com>
Thread-Topic: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Thread-Index: AcXazz4LC+JuqQhfRU2iomXTXCKdgQAEXsMA
To: alejandro_perez@dif.um.es, ipsec@ietf.org
X-OriginalArrivalTime: 27 Oct 2005 10:41:17.0573 (UTC) FILETIME=[F6117350:01C5DAE2]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
This is actually one of those issues we haven't reached consensus yet. It seems that we have consensus on the following: - It is mandatory to include one or more type 4 (D-H) transform substructures in the SA payload when rekeying the IKE_SA (Section 3.3.3). - Doing a new Diffie-Hellman exchange is not mandatory when rekeying the IKE_SA (e.g. Section 2.18 says that g^ir term is optional). Thus, although including a D-H transform substructure is mandatory, it can contain value "NONE". - Usually implementations will want to do a new D-H exchange when the IKE_SA is rekeyed; i.e., while NONE is allowed here, it's probably not the most common case. - Doing D-H is not mandatory when rekeying or creating a CHILD_SA. - When you're rekeying or creating a CHILD_SA, and you're not doing D-H, the KEi/KEr payloads are not included. My interpretation of the spec is that - When you're rekeying the IKE_SA, and you're not doing D-H, the KEi/KEr payloads are not included. But at least Tero and Paul disagreed with this conclusion back in April (i.e., you have to include a dummy KEi/KEr payloads even when you're not doing D-H --- but only the IKE_SA case, not in the CHILD_SA case)... There hasn't been much discussion about this since, though.. Best regards, Pasi -------------------- > From: Alejandro Perez Mendez > Sent: 27 October, 2005 11:16 > To: IPsec WG > Subject: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange > > In order to get a better clarification document, we report a > misprint found in the Appendix A. > > The clarifications document says in its section 5.1: > > << KEi and KEr are required for rekeying an IKE_SA.>> > > But in the "Appendix A. Exchanges and payloads" in the section > "A.5. CREATE_CHILD_SA exchange for rekeying the IKE_SA" shows: > > << A.5. CREATE_CHILD_SA exchange for rekeying the IKE_SA > > request --> SA, Ni, [KEi] > > response <-- SA, Nr, [KEr] >> > > where KEi and KEr seems to be optionals. > > Regards! > > Alejandro Pérez Méndez > Pedro J. Fernández Ruiz _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen