| CPC H04L 9/0891 (2013.01) [H04L 63/164 (2013.01)] | 19 Claims |
|
1. A method in a first network device for rekeying a first Internet Protocol Security (IPSec) security association (SA) of the first network device, the first IPSec SA including first cryptographic material used to respectively encrypt and decrypt transmissions to and from a second network device, the method in the first network device comprising:
setting a single bit in a Security Protocol Index (SPI) component of a first IPSec packet to a value indicating that an SA rekey operation is in progress between the first network device and the second network device;
storing the first cryptographic material in a portion of a payload component of the first IPSec packet;
transmitting the first IPSec packet to the second network device;
receiving a second IPSec packet from the second network device, wherein an SPI component of the second IPsec packet has the single bit set to the value indicating that the SA rekey operation is in progress, and wherein a payload component of the second IPSec packet includes second cryptographic material from the second network device; and
updating the cryptographic material contained in the first IPSec SA using the first and second cryptographic material and storing the updated cryptographic material in one or more new IPsec SAs, wherein subsequent transmissions to and from the second network device are respectively encrypted and decrypted using the one or more new IPsec SAs.
|