Skip to main content

Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
RFC 4478

Yes

(Russ Housley)

No Objection


Note: This ballot was opened for revision 05 and is now closed.

(Russ Housley; former steering group member) Yes

Yes ()

                            

(Brian Carpenter; former steering group member) (was Discuss) No Objection

No Objection (2006-02-16)
Section 4 answer's Joel Halpern's last call comment:

"Firstly, this is creating a TLV and associated behavior with significant interoperability problems.  As defined, the server decides it would like periodic renewal of the SA.  It sends the noew information in the IKE exchange.  It gets no indication as to whether the receiver understood the information.  Then, if the receiver does not initiate a timely repeat of the authentication (at the preferred refresh time, which is presumably noticeably shorter than the key lifetime or this would not be needed), the server disconnects the session.  This produces distinctly unanticipated results.
Secondly, I had always understood that key lifetimes were the tool for this kind of thing, not extra timers.  The problem seems to be related to the need to reverse the direction. But this technique seems awkward, and as described just above prone to producing undesirable side-effects.
If this is going to be published as is, it needs a stronger and clearer health warning about what happens if the server tries to use this and the client does not understand it."