Re: [IPsec] CHILD_SA and PFS

Pasi.Eronen@nokia.com wrote:
> The SA proposal here enumerates the transforms to be used for
> *this* CHILD_SA creation (not future CHILD_SAs; those exchanges
> have their own SA payloads, which may contain different things).
> Since no Diffie-Hellman calculation is done when this CHILD_SA is
> created, you can't get negotiate the Diffie-Hellman transform here.

Yes, of course. This is the clearest, most succinct reason why DH group cannot be included. Thanks, Pasi.

Although practically speaking, I don't think I've seen a configuration/implementation that changes its SA proposal (DH group for PFS excepted) upon rekey.

Regards,

Chinh -- http://www.certicom.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec

• This message: [ Message body ]
• Next message: Yoav Nir: "Re: [IPsec] CHILD_SA and PFS"
• Previous message: Tero Kivinen: "Re: [IPsec] CHILD_SA and PFS"
• In reply to: Pasi.Eronen_at_nospam: "RE: [IPsec] CHILD_SA and PFS"
• Next in thread: Ricky Charlet: "RE: [IPsec] CHILD_SA and PFS"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]