Hi, On 5/26/09 10:10 PM, "Raj Singh" wrote:
> Hi Vijay, > > I have some question on ikev2-redirect-10 draft. > > In section 5, > ------ > Once the client sends an acknowledgment to the gateway, it SHOULD > delete the existing security associations with the old gateway by > sending an Informational message with a DELETE payload. The gateway > MAY also decide to delete the security associations without any > signaling from the client, again by sending an Informational message > with a DELETE payload. However, it should allow sufficient time for > the client to setup the required security associations with the new > security gateway. This time period should be configurable on the > gateway. > ------- > > Suppose after sending N[REDIRECT] in case of Gateway initiated redirect, > there is a time gap for client to delete old SA and create new SA with > redirected Gateway. > > During this time, IKE REKEY occurs from gateway or client, what should be > the behavior, should it REKEY on old SA or defer the rekey ? The rekey should be deferred. The IKEv2 SA is going to be torn down anyway. > Also, when deleting IKE SA, due to redirect, is there any way to know that > this delete is sue to redirect ? Well, the gateway redirected the client. If following that, there is a delete from the client, the gateway would know that the IKEv2 SA is being deleted because it redirected the client. Anyway, does it matter? Vijay _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
