Hi Yoav,
Third version of this draft, now including Tero's comments.
some comments on new version.
First, some stuff seems to be left from previous version, which
supposed that new IKE SPIs are sent in both directions:
- third bullet in Section 2.2
- figure 2 in Section 3
Then, there is a related issue with re-authentication.
Your draft says, that re-authentication is done as part of a risk management
policy. Usually it is a security gateway, that enforces such a policy.
The problem is, that with EAP authentication, gateway cannot
initiate re-authentication. The only thing it can do - delete existing
IKE SA in hope, that client will reestablich it anew. And with
this behaviour you draft becomes much less useful.
I think, that it could be solved, if we define new notification,
that could be optionally sent from gateway to client, informing him
that gateway is going to delete IKE SA in some time
interval (indicating that interval in the notification).
If cafr is supported by client and he is willing to use it,
client will start re-authentication before the end of
the interval. If not - gateway will just delete IKE SA
after the interval has ended.
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
