Re: [IPsec] Issue #26: Missing treatment of error cases

From: Keith Welter <welterk_at_nospam>
Date: Fri Sep 04 2009 - 16:04:46 GMT
To: ipsec@ietf.org

>>> In an IKE_AUTH
>>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
>>> following notifications cause the IKE SA to be deleted or not
>>> created, without a DELETE payload:
>>> o UNSUPPORTED_CRITICAL_PAYLOAD
>>> o INVALID_SYNTAX
>>> o AUTHENTICATION_FAILED
>>>
>>> Extension documents may define new error notifications with these
>>> semantics, but MUST NOT use them unless the peer is known to
>>> understand them.
>>
>> In subsequent INFORMATIONAL exchanges the UNSUPPORTED_CRITICAL_PAYLOAD
>> should not be fatal. It only means that the responder ignored the
>> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That does
>> not delete IKE SA.
>>
>> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
>> SA as IKE SA is not yet ready.
>
>That's what I meant. I will clarify this.
I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted either.

Keith Welter
IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)

IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: Keith Welter: "[IPsec] Fw: Issue #26: Missing treatment of error cases"
Previous message: naoyoshi ueda: "Re: [IPsec] Questions to IKEv2bis draft: IVs of retransmitted packets"
Maybe in reply to: Yoav Nir: "[IPsec] Issue #26: Missing treatment of error cases"
Next in thread: Tero Kivinen: "Re: [IPsec] Issue #26: Missing treatment of error cases"
Reply: Tero Kivinen: "Re: [IPsec] Issue #26: Missing treatment of error cases"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]