I was pointed to a new draft: https://tools.ietf.org/html/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-00 It's goal is to minimize the payloads for rekeying for IKE SA's and IPsec SA's. The use case is like 3gpp use of large amounts of IKEv2 sessions. I think the idea is fine, but I think I would to see it differently implemented. I think the support notify's for this should be exchanged in IKE_AUTH, not in CREATE_CHILD_SA, because otherwise the first rekey will run into issues or has to use the old model, or would be asymmetric wit initiator sending all payloads anyway but responder could omit them. I see two options: Still use the SA payload but use a Traffic Selector Type (eg TS_UMCHANGED) to be able to distinguish between a mistakenly omited TSi/TSr and a purposefully one from this doucment. Completely change the payloads of CREATE_CHILD_SA and make it more generally with some new payload type (eg CHILD_SA_UNCHANGED) that would cover more things that are unchanged (like USE_TRANSPORT, COMPRESS, TFC/padding etc). This format would be so different to also ensure it cannot be confused with regular processing. I would need to think a bit more about the gains and complexity of each of these solutions. I do like the fact that it allows a rekey without allowing to modify anything about the SA other than fresh keys. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
