Cisco Cisco Packet Data Gateway (PDG)
Rekeying SAs
Rekey Traffic Overlap ▀
IPSec Reference, StarOS Release 17 ▄
137
Note the following key points:
Initiator is the first to switch outbound traffic to the new SA
Switching outbound traffic on the responder is consequential
Each node is ready to receive on both SAs for some duration.
If the traffic does not start flowing immediately on the new SAs, the nodes can use another mechanism to switch traffic
to the new SA.
to the new SA.
To rekey a child SA (IPSec SA):
The node receives an explicit delete for the old child SA on IKE.
A predefined time elapses (neither of the above two events happen).
Deployment Scenarios
Network operators prefer using s finite-lifetime SA to minimize the risk of compromising the key when used
indefinitely. Rekeying instead of deleting-creating an SA avoids breaks in traffic.
indefinitely. Rekeying instead of deleting-creating an SA avoids breaks in traffic.
Initiator and Responder Rekeying Behavior
During rekeying, the old SA must not be deleted when the new SA is created. Traffic transmission on the new SA and
deletion of the old child SA occurs as depicted in the following diagram.
deletion of the old child SA occurs as depicted in the following diagram.