Matthew,
It has to be Case #2. No where in the CREATE_CHILD_SA - IKE_SA Rekey
exchange do you update to the other endpoint the new CHILD_SA SPIs -
without exchanging the CHILD_SA SPIs, you'll most definitely run into
interoperability issues, namely you'll start black holing traffic. As a
result, it would be what you consider a copy. However, you shouldn't
really think about it in that way. Depending on implementation,
generally speaking - CHILD_SAs existing in a SAD would simply have an
object that essentially references the parenting IKE_SA. After the
successful IKE_SA Rekey, the CHILD_SA simply would update this object to
simply point to its new parent, the rekeyed IKE_SA. But to qualify, it
all really depends on implementation.
- Jeff Sun
Matthew Cini Sarreo wrote:
Hello,
When rekeying an IKE SA, the traffic from the old (expiring) SA has to
be moved to the new (rekeyed) SA. How does this go about? Are
equivalent Child SAs created for the rekeyed IKE SA created and the
ones in the old IKE SA deleted (by deleting the IKE SA), or is all
data of the Child SA (SPIs, keys etc) copied as-is to the new SA.
As a visual example:
IKE SA A - Expiring IKE SA B - Rekeyed
One Child SA New Child SA
SPI (incoming) 0x12345678 SPI (incoming) 0xABCDEFAB
Protocol AH Protocol AH
Same
cryptographic suite as A's Child SA
or
IKE SA A - Expiring IKE SA B - Rekeyed
One Child SA Copy if Child SA from A
SPI (incoming) 0x12345678 SPI (incoming) 0x12345678
Protocol AH Protocol AH
Same
cryptographic suite as A's Child SA (copied)
From section 2.8, "inherits Child SAs" seems to refer to the second
case (copying) but I would like to be 100% sure that this is the case.
Thanks for clarifications.
Regards,
Matthew
------------------------------------------------------------------------
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
