RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Pasi.Eronen@nokia.com Thu, 27 October 2005 10:41 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV5CM-00032X-TC; Thu, 27 Oct 2005 06:41:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV5CK-000304-Mv for ipsec@megatron.ietf.org; Thu, 27 Oct 2005 06:41:28 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA20869 for <ipsec@ietf.org>; Thu, 27 Oct 2005 06:41:12 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-ext03.nokia.com ([131.228.20.95]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EV5Pe-0005vf-4S for ipsec@ietf.org; Thu, 27 Oct 2005 06:55:16 -0400
Received: from esebh107.NOE.Nokia.com (esebh107.ntc.nokia.com [172.21.143.143]) by mgw-ext03.nokia.com (Switch-3.1.7/Switch-3.1.7) with ESMTP id j9RAd1Z8008732; Thu, 27 Oct 2005 13:39:01 +0300
Received: from esebh101.NOE.Nokia.com ([172.21.138.177]) by esebh107.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Oct 2005 13:41:18 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh101.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Oct 2005 13:41:17 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5.7233.31
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Date: Thu, 27 Oct 2005 13:41:20 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com>
Thread-Topic: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Thread-Index: AcXazz4LC+JuqQhfRU2iomXTXCKdgQAEXsMA
To: alejandro_perez@dif.um.es, ipsec@ietf.org
X-OriginalArrivalTime: 27 Oct 2005 10:41:17.0573 (UTC) FILETIME=[F6117350:01C5DAE2]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
This is actually one of those issues we haven't reached
consensus yet.
It seems that we have consensus on the following:
- It is mandatory to include one or more type 4 (D-H) transform
substructures in the SA payload when rekeying the IKE_SA
(Section 3.3.3).
- Doing a new Diffie-Hellman exchange is not mandatory when
rekeying the IKE_SA (e.g. Section 2.18 says that g^ir term
is optional). Thus, although including a D-H transform
substructure is mandatory, it can contain value "NONE".
- Usually implementations will want to do a new D-H exchange
when the IKE_SA is rekeyed; i.e., while NONE is allowed here,
it's probably not the most common case.
- Doing D-H is not mandatory when rekeying or creating a CHILD_SA.
- When you're rekeying or creating a CHILD_SA, and you're not
doing D-H, the KEi/KEr payloads are not included.
My interpretation of the spec is that
- When you're rekeying the IKE_SA, and you're not doing D-H,
the KEi/KEr payloads are not included.
But at least Tero and Paul disagreed with this conclusion back
in April (i.e., you have to include a dummy KEi/KEr payloads
even when you're not doing D-H --- but only the IKE_SA case,
not in the CHILD_SA case)...
There hasn't been much discussion about this since, though..
Best regards,
Pasi
--------------------
> From: Alejandro Perez Mendez
> Sent: 27 October, 2005 11:16
> To: IPsec WG
> Subject: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
>
> In order to get a better clarification document, we report a
> misprint found in the Appendix A.
>
> The clarifications document says in its section 5.1:
>
> << KEi and KEr are required for rekeying an IKE_SA.>>
>
> But in the "Appendix A. Exchanges and payloads" in the section
> "A.5. CREATE_CHILD_SA exchange for rekeying the IKE_SA" shows:
>
> << A.5. CREATE_CHILD_SA exchange for rekeying the IKE_SA
>
> request --> SA, Ni, [KEi]
>
> response <-- SA, Nr, [KEr] >>
>
> where KEi and KEr seems to be optionals.
>
> Regards!
>
> Alejandro Pérez Méndez
> Pedro J. Fernández Ruiz
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen