-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document key rotation #3
Comments
A SPI will live as long as its original key is either in the master primary or secondary slots. Once there is a double rotation they yes, that SPI is junk. :-) I agree that there should be some guidance on invoking key rotations and the communication between endpoints. |
Should this be part of PSP? |
A protocol between endpoints for key rotation is outside PSP (as its defined now). Any wording on this would be similar to that stated about the initial handshake for communicating the shared secret key. Clear guidance to when key rotation must occur should be provided. There is some text on this but it could probably be refined further. |
The document has been updated to indicate that rekeying is necessary with key rotation (although the details of key rotation are currently out of scope for the document). |
It is unclear how an SPI can last longer than the underlying master key in the NIC. In particular, there must be a way for receiver-side software to communicate new keys to the sender, and for there to be enough overlap (where both new and old keys are allowed) to avoid packet drops.
The text was updated successfully, but these errors were encountered: