Scott C Moonen writes: > > I think it would simplify the implementations and the protocol by just > > limiting that only responders can be token makers without loosing any > > of the functionality. > > I don't think we should limit this. First, rekeys can easily reverse the > sense of who is initiator.
I was thinking about the original initiator, not the exchange initiator. > Second, it is a stretch to assume that the underlying traffic > pattern is always such that at all times the initiator's side is the > one doing sending/retransmitting and can thus resurrect the SA. I am not talkin gabout traffic patters, I am talking about the ability to recreate the SA. The reason the SGW in normal case cannot simply recreate the IKE SA after the reboot is because it does not know who the other end was, i.e. it does not know their IP-addresses, identities, the traffic selectors etc used for that. The initiator has all this information in its configuration as it already created the SAs in the first place earlier, so for it, it is enough to just start new IKE SA with INITIAL_CONTACT notification when it boots up. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec