|Main Archive Page > Month Archives > ipsec archives|
> >>> In an IKE_AUTH
> >>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
> >>> following notifications cause the IKE SA to be deleted or not
> >>> created, without a DELETE payload:
> >>> o UNSUPPORTED_CRITICAL_PAYLOAD
> >>> o INVALID_SYNTAX
> >>> o AUTHENTICATION_FAILED
> >>> Extension documents may define new error notifications with these
> >>> semantics, but MUST NOT use them unless the peer is known to
> >>> understand them.
> >> In subsequent INFORMATIONAL exchanges the
> >> should not be fatal. It only means that the responder ignored the
> >> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That
> >> not delete IKE SA.
> >> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
> >> SA as IKE SA is not yet ready.
> >That's what I meant. I will clarify this.
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
Actually, my last statement was overly simplistic. I should have said that
there is at least one case when I would not expect INVALID_SYNTAX to cause
the IKE SA to be deleted; specifically, when it is included in a
CREATE_CHILD_SA exchange. However, I wonder if it is sufficient for an
INVALID_SYNTAX in an INFORMATIONAL exchange to cause an IKE SA to be
without including a delete payload for the IKE SA. It seems potentially ambiguous what an implementation should do if an INFORMATIONAL message contains only INVALID_SYNTAX whereas the addition of a delete payload for the IKE SA makes the situation clear.
IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)