On Jul 25, 2023, at 00:19, Tobias Brunner <tob...@strongswan.org> wrote: > > > > That's exactly what I'm proposing. Make it *mandatory* that the first > rekeying of the Child SA that's created with IKE_AUTH is a regular one. > Because if that's not the case, it might be impossible for a responder > to deduce what the initiator's proposal is. All further rekeyings of > that Child SA can be optimized afterwards.
I do not want to make it mandatory because for IoT devices with provisioning, this is not needed and the whole point is saving energy by not sending unnecessary bytes and a regular rekey is a LOT of bytes. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec