ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CHILD_SA and PFS

Re: [IPsec] CHILD_SA and PFS

From: Tero Kivinen <kivinen_at_nospam>
Date: Wed Nov 21 2007 - 15:56:04 GMT
To: Yoav Nir <ynir@checkpoint.com>


Yoav Nir writes:
> This assumes that generating a new IKE SA is a painless procedure. For
> clients, this could mean keying in a passcode from a token, or
> entering a password or pushing some button on a phone.

Which will cause the client to fix the problem sooner than later, which is even better.

> Even if generating an IKE SA is painless, it's also bad if you need
> multiple SAs. Only the first SA (the one that happened to trigger IKE)
> will succeed. All the others will fail (assuming all require PFS). So
> we have a badly mismatched configuration that occasionally works.

If the policies are different, any of the later SAs can fail too, regardless of PFS. I do not really see that big difference in PFS. In normal case the client should not really care what is configured for the PFS group, it should be configured to: suggest without PFS, allow also any group supported. Then the server can request what kind of policy it wants. -- kivinen@safenet-inc.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec