<no hat> At 11:01 AM +0300 9/9/10, Tero Kivinen wrote: >Scott C Moonen writes: >> > I was thinking about the original initiator, not the exchange >> > initiator. >> >> Ok, but this then imposes an awkward new requirement to remember the >> "original original initiator," as it were. Today the initiator of the >> rekey becomes the original initiator of the rekeyed IKE SA. > >True, we need some other term for it. Something like the original >IKE_SA_INIT initiator or the party initiating the initial connection >(i.e. triggering). Or simply say that the QCD_TOKENs in INFORMATIONAL >exchanges and rekeys can only be sent by the peer who originally sent >them in the IKE_AUTH, and in IKE_AUTH limit the QCD_TOKEN to the >responder.
Is this added complexity really needed? It sounds like a dangerous addition. Please be sure the value is actually worth the risk. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
