[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: RE: [Ipsec] IKEv2 rekeying question
From: Pasi.Eronen () nokia ! com
Date: 2005-07-27 13:00:40
Message-ID: B356D8F434D20B40A8CEDAEC305A1F24CD2F8B () esebe105 ! NOE ! Nokia ! com
[Download RAW message or body]
Fukumoto Atsushi wrote:
>
> In section "2.8 Rekeying", draft-ietf-ipsec-ikev2-17.txt says:
> If redundant SAs are created though such a collision,
> the SA created with the lowest of the four nonces used
> in the two exchanges SHOULD be closed by the endpoint
> that created it.
>
> Questions are:
>
> 1. What is the definition of comparison when determining the lowest
> of the four nonces? Is it to interpret the nonces as big-endian
> integers (in that case, shorter nonces will be lower, unless the
> longer nonces happen to have zeros at its head)? I think another
> possibility is to consider nonces as strings of octets and compare
> octet-by-octet from head to tail.
I think the intent was octet-by-octet (lexicographical) comparison,
sort of what "strcmp" does (but without special treatment for zero
octet).
(In other words: start by comparing the first octet; if they're equal,
move to the next octet, and so on. If you reach the end of one nonce,
that's the lower one.)
> 2. I didn't understand the phrase "by the endpoint that created it",
> does it mean the endpoint that initiated the exchange which had the
> lowest nonce? I understand "SHOULD be closed" means sending DELETE,
> as described in clarification draft 04 section 5.6.
Yes, that's right.
Best regards,
Pasi
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic