黯乡魂 writes: > Thank you for your reply. There is another issue about IKE SA rekey. After > IKE SA rekey, a new SK_d is generated for the new IKE SA, so shall we update > any existing child SA's key according to the new SK_d? I noticed that the > child SA's key is derived from SK_d.
No. SK_d is used only to derive new Child SAs. Once the Child SAs are created they keep their keys until they themselves are rekeyed, and that is done by creating new SA with new keys and deleting the old SA. Keys of the exisiting SAs will never be updated. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec