[Swan-dev] naming v2 states

Antony Antony antony at phenome.org
Sat Aug 30 09:21:36 EEST 2014

don't we need a terminal state for the child sa? when the initiator get a response.

CREATE_CHILD_SA as described in 5996 exchange has three different exchanges:

actually create a CHILD_SA
rekey parent/IKE SA (it is different from re-authentication)
rekey child/IPSEC SA  

I wonder do we need different state names for these  or overload it like informational exchange? 
It would ideal if some of the informational state has its own name, e.g v2D. Currently there is entry svm STATE_IKESA_DEL. May be it is a partial entry.  

Once we implement EAP authentication, we may have to extent AUTH exchange. EAP could take more than one round trip.

Hugh, Feel free to re-name the wiki page. I couldn't find the move url:) 

The last set and the first set looks interesting. Lets remove the other options and focus on these two.


On Fri, Aug 29, 2014 at 04:05:36PM -0400, Paul Wouters wrote:
> On Fri, 29 Aug 2014, Matt Rogers wrote:
> >Subject: Re: [Swan-dev] naming v2 states
> >
> >I like the suggested set at the bottom there. I think avoiding calling the resulting states a CHILD and instead calling them IKE or IPSEC is a good idea. I also like the idea of incorporating the intended SA type in the CHILD exchange's state names.
> Funny, I was hoping to keep the RFC names for the states, eg to keep
> using CREATE_CHILD_XXX despite that it can create parents.
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list