Hi, Please find our draft "Clone IKE SA Extension"
http://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/ This extension indicate that during a rekey of a IKE_SA, the current IKE_SA MUST NOT be deleted, thus leaving two parallel IKE_SA. This draft has been presented as draft-mglt-ipsecme-keep-old-ike-sa-00 in Berlin. This version added the comments received from Valery, Yaron and Tero both on th emailing list and during the meeting. Any comment is welcome! I have two questions regarding this draft: 1) I specified in which exchange type the different payloads are expected to be found. CLONE_IKE_SA is sent in a CREATE_CHILD_SA exchange only. CLONE_IKE_SA_SUPPORTED is expected to be found in message of type IKE_AUTH and INFORMATIONAL. Should we restrict it to IKE_AUTH ? 2) The CLONE_IKE_SA Notify Payload in a CREATE_CHILD_SA exchange is included both by the initiator and by the responder. By doing so, the responder confirm everything is fine. On the other hand we can assume sending no error - once peers have agreed they support the extension - indicates it is fine. I would like your feed back whether the responder should have this CLONE_IKE_SA Notify payload in the response or not. -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58 _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
