[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: COPS key management question

To: "'vinay'" <mietf@yahoo.com>, rap@ops.ietf.org
Subject: RE: COPS key management question
From: "Durham, David" <david.durham@intel.com>
Date: Fri, 12 Jan 2001 10:23:05 -0800
Delivery-date: Fri, 12 Jan 2001 11:08:00 -0800
Envelope-to: rap-data@psg.com

> -----Original Message-----
> From: vinay [mailto:mietf@yahoo.com]
> 
> Hi
> Section 4.2 ( Key Maintenance) in RFC 2748 mentions :
> It is good practice to regularly change keys. Keys
> MUST be configurable such
> that their lifetimes overlap allowing smooth
> transitions between keys. At
> the midpoint of the lifetime overlap between two keys,
> senders should
> transition from using the current key to the
> next/longer-lived key.
> Meanwhile, receivers simply accept any identified key
> received within its
> configured lifetime and reject those that are not. 
> Does this mean that everytime a key is changed, the
> open session should be closed
> and the security and sequence number negotiation be
> done again ( i.e. by
> reconnecting and sending an OPN message with the new
> key id in the integrity
> object after closing the previous session ..) ?

[Dave] No. All the session keys are identified by their KeyID. Thus, you do
not have to renegotiate anything. The current sequence can be maintained,
because when the key is switched, the KeyID is changed to that of the new
key. 

The above quote deals with how switching keys in an active session is
handled between the client and server (PEP & PDP). It allows their period of
validity to overlap so the transition will work smoothly.

> Thanks,
> Vinay
> 
> 
>

Prev by Date: RE: draft-santitoro-rap-policy-errorcodes-01.txt
Next by Date: RE: draft-santitoro-rap-policy-errorcodes-01.txt
Prev by thread: COPS key management question
Next by thread: RE: draft-santitoro-rap-policy-errorcodes-01.txt
Index(es):
- Date
- Thread