At 9:34 AM -0500 11/24/09, Scott C Moonen wrote:
Section 2.18 also states that in the case of the old and new IKE SA
selecting different PRFs, that the rekeying exchange (for SKEYSEED)
...snip...
new PRF, is when new IKE SA is used to generate KEYMAT, or SKEYSEED
for next IKE SA rekey.
Paul Hoffman wrote:
We earlier agreed in issue #50 to make the KEr in Section 1.3.2
(Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory:
-- HDR, SK {SA, Nr, KEr}
Note that this is not in the current draft, but will be in the next
one.
So, what
Paul Hoffman writes:
We earlier agreed in issue #50 to make the KEr in Section 1.3.2
(Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory:
-- HDR, SK {SA, Nr, KEr}
Note that this is not in the current draft, but will be in the next one.
So, what
Hoffman paul.hoff...@vpnc.org
Cc:
IPsecme WG ipsec@ietf.org
Date:
11/24/2009 08:55 AM
Subject:
[IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question
Paul Hoffman writes:
We earlier agreed in issue #50 to make the KEr in Section 1.3.2
(Rekeying IKE SAs with the CREATE_CHILD_SA Exchange
We earlier agreed in issue #50 to make the KEr in Section 1.3.2 (Rekeying IKE
SAs with the CREATE_CHILD_SA Exchange) mandatory:
-- HDR, SK {SA, Nr, KEr}
Note that this is not in the current draft, but will be in the next one.
So, what happens if the responder does