Cisco Cisco Packet Data Gateway (PDG)
Rekeying SAs
▀ Rekey Traffic Overlap
▄ IPSec Reference, StarOS Release 17
136
Rekey Traffic Overlap
Overview
An SA may be created with a finite lifetime, in terms of time or traffic volume. To assure interrupt-free traffic IKE SA
and IPSec SAs have to be “rekeyed”. By definition, rekeying is the creation of new SA to take the place of expiring SA
well before the SA expires. RFC 5996 describes the procedure for IKEv2 rekeying with minimal traffic loss.
and IPSec SAs have to be “rekeyed”. By definition, rekeying is the creation of new SA to take the place of expiring SA
well before the SA expires. RFC 5996 describes the procedure for IKEv2 rekeying with minimal traffic loss.
During the rekeying, both initiator and responder maintain both SAs for some duration during which they can receive
(inbound) on both SAs. The inbound traffic on the old SA stops only after each node unambiguously knows that the
peer is ready to start sending on the new SA (switch outbound to new SA). Switching the outbound traffic to new SA
happens at the initiator and responder as depicted in following diagram.
(inbound) on both SAs. The inbound traffic on the old SA stops only after each node unambiguously knows that the
peer is ready to start sending on the new SA (switch outbound to new SA). Switching the outbound traffic to new SA
happens at the initiator and responder as depicted in following diagram.
Figure 27. Call Flow: Maintaining Old and New SAs during Child SA Rekeying