Re: Fwd: I-D ACTION:draft-nir-ikev2-auth-lt-02.txt

The reason I'm asking is that I'm not sure what I'm doing there is the 
best way.

What the draft says is for the Initiator to wait a certain amount of 
time, and then tear down all the SAs and create new ones via a 
completely new initial exchange.  This is much more than is necessary.  
A better solution would be to allow a new AUTH exchange (2 or 6 
messages) without an INITIAL exchange, and without any piggybacked 
child SAs.

The reason I chose the inferior solutions is for simplicity:
  - No need to create a new state machine for a standalone AUTH exchange
  - Easier to add support to existing IKEv2 implementations
  - No need to find something to sign in the in AUTH payloads (maybe the 
original INITIAL exchange packets? Would it be secure to sign them 
again?)

Anyway, I can see valid reasons to do it either way, and that is why 
I'm soliciting comments.

On May 6, 2005, at 6:06 PM, <Pasi.Eronen <at> nokia.com> wrote:
>
> Yes, I think many vendors will need something like this, and it
> makes more sense to have one interoperable way, rather than each
> vendor implementing their proprietary extension. And IMHO it
> does not matter what exactly the details are, as long as we get
> it published in a timely fashion.
>
> Given that the IANA actions for IKEv2 are already done, I think
> you should ask Russ to appoint a "Designated Expert", and move
> forward as individual submission for informational (so we don't
> have to wait years for all IPsec folks to get full consensus
> on the punctuation).