[IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying

To: "ipsec at ietf.org" <ipsec at ietf.org>
Subject: [IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying
From: Matthew Cini Sarreo <mcins1 at gmail.com>
Date: Thu, 16 Apr 2009 18:31:29 +0200
Delivered-to: ipsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=gl756QjQgN2SNFe1YMtM/sLuw6ajRsh35GGqCE+qUz8=; b=GvuvuwBoZ6/+AgknY8XwARTVRZ5BwY/G8B0y0nWuCSAloIgNU0CngCa8RDYF8phFnH QOQ7DFRIjVUJ6nyrz/9g/0743fmh4yzpIhCxf8KPA/3oZTiwvijtoztmirdIQSuX7n0Z +cx91xor7v6PgQjck+x4k8dWB8rqfkhX0vaJ8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=IWH15eL3tjS3zzQXBqIOkBimEHBSLB5/HwbHPyHIiRCWswmp7Urk7R8apAC8WeVyVz y0eZD4jsit7HUq6UNMYuKkmvalxhJ7S9c422/0ev16rtua4ja2BpMLNlU1HlZFRw1WJm ndpviV70ePxLLhkO2p2oZ4uPB0P2MqkMSf7ZE=
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>

Hello,

When rekeying an IKE SA, the traffic from the old (expiring) SA has to be moved to the new (rekeyed) SA. How does this go about? Are equivalent Child SAs created for the rekeyed IKE SA created and the ones in the old IKE SA deleted (by deleting the IKE SA), or is all data of the Child SA (SPIs, keys etc) copied as-is to the new SA.

As a visual example:

IKE SA A - Expiring                          IKE SA B - Rekeyed
One Child SA                                   New Child SA
SPI (incoming) 0x12345678               SPI (incoming) 0xABCDEFAB
Protocol AH                                     Protocol AH
                                                       Same cryptographic suite as A's Child SA

or

IKE SA A - Expiring                          IKE SA B - Rekeyed
One Child SA                                   Copy if Child SA from A
SPI (incoming) 0x12345678               SPI (incoming) 0x12345678
Protocol AH                                     Protocol AH
                                                       Same cryptographic suite as A's Child SA (copied)

From section 2.8, "inherits Child SAs" seems to refer to the second case (copying) but I would like to be 100% sure that this is the case.

Thanks for clarifications.

Regards,
Matthew

Follow-Ups:
- Re: [IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying
  - From: J. Sun

Prev by Date: [IPsec] I-D Action:draft-ietf-ipsecme-esp-null-heuristics-00.txt
Next by Date: Re: [IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying
Previous by thread: [IPsec] I-D Action:draft-ietf-ipsecme-esp-null-heuristics-00.txt
Next by thread: Re: [IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying
Index(es):
- Date
- Thread

[IPsec] IKEv2: Moving Child SA traffic from an SA to a new SA when rekeying

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.