> Well, here’s my list of requirements (and my opinions); did I miss any
> requirement that you think is important? What are you opinions about
> these requirements?
We have to be able to negotiate to use of these extensions.
I want to suggest something further: that we might want to negotiate use of
some of these extensions as a *rekey* of a "conventional" IKEv2 PARENT.
I.e. even the use of these extensions might be too big a red flag.
I really don't like the idea of a mandatory rekey to use these
extensions, for two reasons:
- This smells too much like SSL renegotiation, with issues like
QR-security of the original SA vs. the new SA coming up.
- I am sure a passive observer can distinguish an immediate rekey from
normal IPsec traffic, just using packet lengths and timing. So the red
flag is still there.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
