Hi, I also have some comments on draft-pwouters-ipsecme-child-pfs-info.
>From the Introduction I learned that the problem this draft is trying to address is the lack of knowledge at the time the initial Child SA is being created in IKE_AUTH of what KE methods are configured for subsequent rekeys of this Child SA. So, the main purpose is to allow manual troubleshooting of possible configuration mismatches, right? The proposed solution is limited in its functionality: - it doesn't support policies when some KE method are tied to particular ENCR & PRF transforms - it doesn't support RFC9370 - there is no guarantee that the KE method included will be the same as used during actual rekey It also requires quite a lot of changes in the code - currently it is assumed that crypto transforms negotiation is done entirely within SA payload processing. With this proposal we have also look at this notify, which complicates code. Given the complexity and serious limitations of the proposed solution and assuming that its main purpose is to allow manual troubleshooting of possible configuration mismatches, I wonder whether it would be more simple and reliable way to achieve this to just have a button in the implementation's UI "Test Child SA rekey"? The operator would push this button to immediately force a rekey once initial SA is established and troubleshoot should there are any errors. Regards, Valery. _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
