Hi,
We are looking at Opportunistic IPsec and supporting key rollover support. In IKEv1, the initiator used the responder's key first, and the responder could figure out which of its multiple keys the initiator used. But in IKEv2, the responder uses one of their keys and it does not really know which ones the initiator knows about. So we would like the initiator to indicate which key it is expecting the peer to use. We could use the IDr payload in IKE_AUTH for that, using an ID_KEY_ID type. But we would also really like to use the IDr payload on the initiator to convey to the responder which FQDN we are expecting, so a responder could use a different key for each FQDN it is responsible for. While the responder could map ID_KEY_ID to FQDN's, it would be nice if we could send both pieces of information from the initiator. I can see a few ways of doing this: 1) Allow sending two IDr payloads in IKE_AUTH request 2) Add a new NOTIFY type that takes an IDr payload, then send the real IDr payload and the NOTIFY containing the second IDr payload. 3) Add a new ID type that encodes both ID_FQDN and ID_KEY_ID, send 1 IDr payload with that. 4) No change, use IDr ID_KEY_ID and leave it the implementer's problem to figure out keyid -> FQDN. I've ordered these according to my preference. I'd like to hear other people's view on this :) Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
