At 3:51 PM -0400 6/26/09, Scott C Moonen wrote: >ikev2bis says the following: > > SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as > specified in Section 2.14. > >Is it correct to assume that SPIi and SPIr as used in this rekey calculation >are from the new, rekeyed IKE SA?
Yes. It would not make sense to have the new values be based on the old SPIs. >Is it worth specifying that explicitly? Ni/Nr is more obvious, since those >are explicitly exchanged with the CREATE_CHILD_SA rekey exchange. But the >rekey exchange has two associated SPIs (the old SA's SPIs for the messages >themselves, and the SPIs within the SA proposals), and it might be helpful to >clarify this. I will add this to the next version of the ikev2bis document. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
