Paul Wouters <p...@nohats.ca> wrote:
> Or update the RFC with a clarification that delete's are allowed, but
> that the server who deleted a state, upon getting a ticket MUST check:
> - It's configuration is unchanged from when the ticket was issued (we do
that)
> - The ticket's issue time plus the configuration's lifetime is not in
> the past
> - The IKE SA should not have been rekeyed [tricky without keeping
> state]
If the ticket was issued at time A (which is in the ticket), and the IKE SA
rekey time is intervals of time B, then had the SA been active alive at time
A+B, it would have been rekeyed, right?
So, if the current time is > A+B, then the IKE SA should have been rekeyed?
But, you alude to it requiring state, so there must be something I don't
understand.
>> The case of a cluster of gateways is not handled by the RFC. This is
>> alluded to at the end of the Introduction.
> that was an unfortunate easy way to not address the problem of syncing
> state between servers :)
Can you explain what the problem is if the ticket is used more than once
(with different gateways) within the time B?
It seems that this is the only thing that would require state to be exchanged.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
