[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Re: Original initiator and responder after an IKE_SA rekeying in Repeated authentication scenario in IKEv2

By "original responder" I mean the party that was Responder in the original Initial and AUTH exchanges, so perhaps "original authentication responder" would be better.

The reason for the whole "authentication timeout" is to ask the "original authentication initiator" to do the whole Initial+AUTH again, because for some reason the original authentication responder can't do it (EAP is one good example). This fact is not altered by the role reversal that happens in rekeying.

Hope this helps.


Alejandro Perez Mendez wrote:
Hi! We need some clarifications about how to know who are the original
initiator and responder in Repeated Authentication scenario in IKEv2.

The Repeated Authentication document assumes that only the original
responder can send the AUTH_LIFETIME notification, but after an IKE_SA
rekeying, the original responder can change (see IKEv2 clarifications
document section 5.9). After that, the original responder may be
different to the "original authentication responder" (the peer that acts
as responder in the IKE_AUTH exchange).

In this case, who is the "original responder" in order to send
AUTH_LIFETIME notifications?

Ipsec mailing list