I have a question about what is meant by 'equivalent' SA's wrt to rekeying. If someone has already addressed this, my apologies and please point to the thread I missed. - thx.
In section 2.8 it talks about when rekeying a Child SA or an IKE SA, that the peers should establish an 'equivalent' SA. The question I have, is what is meant by equivalent? Does that mean there can only be one proposal in the SA when rekeying? And, does that proposal have to match the currently used algorithms for that SA (i.e. the new SA, must match the SA (as far as transforms) to be rekeyed)? In section 2.18, 4th paragraph, it mentions that the 'old and new IKE SA may have selected a different PRF. ...' Which leads me to think that we can re-negotiate the transforms during a rekey. - thanks in advance for the help, Frank B.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
