- Unlike IKEv1, the Perfect Forwarding Secrecy (PFS) Diffie-Hellman (DH) group value displays as 'PFS (Y/N): N, DH group: none' during the first tunnel negotiation.
- After a rekey occurs, the correct values appear. This is not a bug even though the behavior is described in Cisco bug ID CSCug67056.
- The reason that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads. Thus, the SA payloads in the IKE_AUTH exchange cannot contain PFS DH group other than NONE.
- The CREATE_CHILD_SA request used in rekeying MAY optionally contain a KE payload for an PFS DH exchange
For rekeying IKE_SA, the structure of CREATE_CHILD_SA is
Initiator
Responder
-------------------------------------------------------------------
HDR, SK {SA, Ni, KEi} -->
-------------------------------------------------------------------
HDR, SK {SA, Ni, KEi} -->
<-- hdr="" ker="" nbsp="" nr="" p="" sk="">
For rekeying CHILD_SA, the structure of CREATE_CHILD_SA is
Initiator
Responder
-------------------------------------------------------------------
HDR, SK {N(REKEY_SA), SA, Ni, [KEi,]
TSi, TSr} -->
-------------------------------------------------------------------
HDR, SK {N(REKEY_SA), SA, Ni, [KEi,]
TSi, TSr} -->
<-- br="" hdr="" nbsp="" nr="" r="" sk="">
TSi, TSr}
No comments:
Post a Comment