[Ipsec] Re: Original initiator and responder after an IKE_SA rekeying in Repeated authentication scenario in IKEv2

[Yoav Nir <ynir@xxxxxxxxxxxxxx>]

By "original responder" I mean the party that was Responder in the 
original Initial and AUTH exchanges, so perhaps "original authentication 
responder" would be better.

The reason for the whole "authentication timeout" is to ask the 
"original authentication initiator" to do the whole Initial+AUTH again, 
because for some reason the original authentication responder can't do 
it (EAP is one good example).  This fact is not altered by the role 
reversal that happens in rekeying.

Hope this helps.

Yoav

Alejandro Perez Mendez wrote:
> Hi! We need some clarifications about how to know who are the original
> initiator and responder in Repeated Authentication scenario in IKEv2.
>
> The Repeated Authentication document assumes that only the original
> responder can send the AUTH_LIFETIME notification, but after an IKE_SA
> rekeying, the original responder can change (see IKEv2 clarifications
> document section 5.9). After that, the original responder may be
> different to the "original authentication responder" (the peer that acts
> as responder in the IKE_AUTH exchange).
>
> In this case, who is the "original responder" in order to send
> AUTH_LIFETIME notifications?
>
>
>
>   


_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec