| Main Archive Page > Month Archives > ipsec archives |
[IPsec] Fw: Issue #26: Missing treatment of error cases
From: Keith Welter <welterk_at_nospam>Date: Fri Sep 04 2009 - 16:26:10 GMT
To: ipsec@ietf.org
> >>> In an IKE_AUTH
> >>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
> >>> following notifications cause the IKE SA to be deleted or not
> >>> created, without a DELETE payload:
> >>> o UNSUPPORTED_CRITICAL_PAYLOAD
> >>> o INVALID_SYNTAX
> >>> o AUTHENTICATION_FAILED
> >>>
> >>> Extension documents may define new error notifications with these
> >>> semantics, but MUST NOT use them unless the peer is known to
> >>> understand them.
> >>
> >> In subsequent INFORMATIONAL exchanges the
UNSUPPORTED_CRITICAL_PAYLOAD
> >> should not be fatal. It only means that the responder ignored the
> >> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That
does
> >> not delete IKE SA.
> >>
> >> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
> >> SA as IKE SA is not yet ready.
> >
> >That's what I meant. I will clarify this.
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
either.
Actually, my last statement was overly simplistic. I should have said
that
there is at least one case when I would not expect INVALID_SYNTAX to cause
the IKE SA to be deleted; specifically, when it is included in a
CREATE_CHILD_SA exchange. However, I wonder if it is sufficient for an
INVALID_SYNTAX in an INFORMATIONAL exchange to cause an IKE SA to be
deleted
without including a delete payload for the IKE SA. It seems potentially
ambiguous what an implementation should do if an INFORMATIONAL message
contains only INVALID_SYNTAX whereas the addition of a delete payload for
the IKE SA makes the situation clear.
Keith Welter
IBM z/OS Communications Server Developer
1-415-545-2694 (T/L: 473-2694)
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec