3.10 IKE SA Correlation (IKEV2) Details

See [RFC4306] section 1.2. If SA Correlation is used, during the IKE_SA exchange the Correlation payload MUST be inserted immediately prior to the SA payload.

On initiator:

HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] NOTIFY, AUTH, CORRELATION, SAi2, TSi, TSr}

This is similar to the behavior for the Extensible Authentication Protocol (EAP) exchange, as defined in [RFC4306] section 2.16.

NOTIFY is related to the Mobility and Multihoming Protocol (MOBIKE). See [RFC4555] section 4 for information about the Notify message type. See [RFC4306] section 3.10 for the general Notify header format.

The correlation exchange MUST use the same authentication as the original exchange. If the original exchange did EAP authentication, then the correlation exchange MUST use EAP authentication. Similarly, if the original exchange used certificate authentication (and not EAP authentication), then the correlation exchange MUST use certificate authentication, and MUST NOT use EAP authentication.

Show: