ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Keith Welter <welterk_at_nospam>
Date: Fri Sep 04 2009 - 16:04:46 GMT
To: ipsec@ietf.org


>>> In an IKE_AUTH
>>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
>>> following notifications cause the IKE SA to be deleted or not
>>> created, without a DELETE payload:
>>> o UNSUPPORTED_CRITICAL_PAYLOAD
>>> o INVALID_SYNTAX
>>> o AUTHENTICATION_FAILED
>>>
>>> Extension documents may define new error notifications with these
>>> semantics, but MUST NOT use them unless the peer is known to
>>> understand them.
>>
>> In subsequent INFORMATIONAL exchanges the UNSUPPORTED_CRITICAL_PAYLOAD
>> should not be fatal. It only means that the responder ignored the
>> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That does
>> not delete IKE SA.
>>
>> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
>> SA as IKE SA is not yet ready.
>
>That's what I meant. I will clarify this.
I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted either.

Keith Welter
IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)



IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec