Hi Matt. The relevant texts to read are sections 3.11 of RFC 4306 and sections 5.6 and 5.7 of RFC 4718.
In the ikev2bis draft ( http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-02) this information is reflected in sections 1.4.1 and 3.11. Scott Moonen ([email protected]) z/OS Communications Server TCP/IP Development http://scott.andstuff.org/ http://www.linkedin.com/in/smoonen From: Matthew Cini Sarreo <[email protected]> To: [email protected] Date: 04/09/2009 05:12 AM Subject: [IPsec] Correct use of Child SA SPIs in IKEv2 Hello, When a Child SA is created, each endpoint will create a different SPI for the SA. If I understand correctly, this is called the incoming SPI, i.e the SPI which would be expected to be seen in an incoming ESP or AH packet. Is this correct? When deleting a Child SA, should the initiator (of the INFORMATIONAL exchange containing the Delete payload) state the incoming SPI value, the outgoing (that is, the SPI that the other peer assigned to the Child SA), or both? If both are to be sent (this seems to make most sense), when does a peer recieve the SPI that the other endpoint set for the Child SA? Would both be sent when creating the SA, in a fashion like it is done when creating the IKE SA? Regards, Matt_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
