ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] Fw: Issue #26: Missing treatment of error cases

[IPsec] Fw: Issue #26: Missing treatment of error cases

From: Keith Welter <welterk_at_nospam>
Date: Fri Sep 04 2009 - 16:26:10 GMT
To: ipsec@ietf.org


> >>> In an IKE_AUTH
> >>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
> >>> following notifications cause the IKE SA to be deleted or not
> >>> created, without a DELETE payload:
> >>> o UNSUPPORTED_CRITICAL_PAYLOAD
> >>> o INVALID_SYNTAX
> >>> o AUTHENTICATION_FAILED
> >>>
> >>> Extension documents may define new error notifications with these
> >>> semantics, but MUST NOT use them unless the peer is known to
> >>> understand them.
> >>
> >> In subsequent INFORMATIONAL exchanges the
UNSUPPORTED_CRITICAL_PAYLOAD
> >> should not be fatal. It only means that the responder ignored the
> >> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That
does
> >> not delete IKE SA.
> >>
> >> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
> >> SA as IKE SA is not yet ready.
> >
> >That's what I meant. I will clarify this.
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
either.
Actually, my last statement was overly simplistic. I should have said that
there is at least one case when I would not expect INVALID_SYNTAX to cause

the IKE SA to be deleted; specifically, when it is included in a CREATE_CHILD_SA exchange. However, I wonder if it is sufficient for an INVALID_SYNTAX in an INFORMATIONAL exchange to cause an IKE SA to be deleted
without including a delete payload for the IKE SA. It seems potentially ambiguous what an implementation should do if an INFORMATIONAL message contains only INVALID_SYNTAX whereas the addition of a delete payload for the IKE SA makes the situation clear.

Keith Welter
IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)



IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec