Version 02 is in the mail. > Hi Keith, > > I think this version makes a lot of sense. Thanks.
> A few comments: > I don't like the asymmetrical nature of the notification, which > implies that only the original initiator can initiate the second > IKE_AUTH. There may be cases when the responder would like to > reauthenticate (e.g. mutual EAP with passwords). So I suggest to > have both peers send the notification if they support this extension. Fixed in version 02. > Please say explicitly whether/how this extension interacts with RFC > 6023: can the reauthenticated IKE SA be childless? My intent was to permit reauthentication of a childless SA. That is now explicitly stated in version 02. > The introduction mentions three problems. Please add text somewhere > on how they are solved by this proposal. I beefed-up the introduction to state how these problems are solved in version 02. > Typo in Sec. 4: "MUST be the same as the as the SPIs". Fixed in 02. > Thanks, > Yaron
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
