-------------------- Shinta Sugimoto (2005-08-30): - Section 2.3 (Changing addresses in IPsec SAs) I need clarification on how address change functions in MOBIKE. First of all, does UPDATE_SA_ADDRESSES take effect on more than one address changes ? Or it's supposed to update a single address ? Probably I am confusing the purpose of UPDATE_SA_ADDRESSES and ADDITIONAL_*_ADDRESS. In my understanding, UPDATE_SA_ADDRESSES is for updating the preferred address, which means that IKE_SA and IPsec SA (only matched one) are the target of the address update. OTOH, ADDITIONAL_*_ADDRESS is for updating (requesting its peer to update) the peer address set. Do I get it right? One more question: Should the initiator make all the CHILD_SAs inactive which are associated with the IKE_SA whose "pending_update" flag is set ? -------------------- Pasi Eronen (2005-08-31): > - Section 2.3 (Changing addresses in IPsec SAs) I need > clarification on how address change functions in MOBIKE. First > of all, does UPDATE_SA_ADDRESSES take effect on more than one > address changes ? Or it's supposed to update a single address? It updates the one source and one destination address in IKE and IPsec SAs (the src/dst addresss that is currently used for outgoing packets). > Probably I am confusing the purpose of UPDATE_SA_ADDRESSES > and ADDITIONAL_*_ADDRESS. In my understanding, > UPDATE_SA_ADDRESSES is for updating the preferred address, > which means that IKE_SA and IPsec SA (only matched one) are > the target of the address update. OTOH, ADDITIONAL_*_ADDRESS > is for updating (requesting its peer to update) the peer > address set. Do I get it right? Yes, I think you got it right (although the protocol document does not currently use the term "peer address set"). This set is used as input for address pair selection (on initiator side), and possibly when responder address changes (although the details need some clarification here...) > One more question: Should the initiator make all the CHILD_SAs > inactive which are associated with the IKE_SA whose "pending_update" > flag is set ? Why should it? (Continuing using those CHILD_SAs should work just fine, since in 2401bis the responder uses only the SPI for locating the inbound IPsec SA.) --------------------