ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CHILD_SA and PFS

Re: [IPsec] CHILD_SA and PFS

From: Chinh Nguyen <cnguyen_at_nospam>
Date: Tue Nov 20 2007 - 13:52:45 GMT
To: Pasi.Eronen@nokia.com


Pasi.Eronen@nokia.com wrote:
> The SA proposal here enumerates the transforms to be used for
> *this* CHILD_SA creation (not future CHILD_SAs; those exchanges
> have their own SA payloads, which may contain different things).
> Since no Diffie-Hellman calculation is done when this CHILD_SA is
> created, you can't get negotiate the Diffie-Hellman transform here.

Yes, of course. This is the clearest, most succinct reason why DH group cannot be included. Thanks, Pasi.

Although practically speaking, I don't think I've seen a configuration/implementation that changes its SA proposal (DH group for PFS excepted) upon rekey.

Regards,

Chinh -- http://www.certicom.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec