|Main Archive Page > Month Archives > ipsec archives|
You are sending an informational notification, so how could you say the SA does not exist and no delete should be sent?
If an authentication error is discovered when processing the IKE_AUTH response then responder thinks an IKE SA exists and the initiator intends to delete that SA. In this case it seems clean for the initiator to send an INFORMATIONAL exchange containing AUTHENTICATION_FAILED and treating the SA as being deleted. I do not see the harm in including a DELETE in this case and it seems to be a more appropriate action than sending the AUTHENTICATION_FAILED. I'm fine with not requiring the DELETE, but I don't think including the DELETE is bad and should be discouraged. I think it reinforces the initiator's intentions and is unambiguous.
Dave Wierbowski From: Yoav Nir <firstname.lastname@example.org> To: David Wierbowski/Endicott/IBM@IBMUS Cc: "email@example.com" <firstname.lastname@example.org>, Keith Welter/Raleigh/IBM@IBMUS Date: 09/04/2009 03:25 PM Subject: Re: [IPsec] Issue #26: Missing treatment of error cases Sent by: email@example.com
On Sep 4, 2009, at 5:53 PM, David Wierbowski wrote:
>Yes, I will soften the language a bit, but I won't mention a DELETE
payload. If some implementations do it.
>others may come to expect it. We don't want to encourage that by
suggesting that it's a good idea. Yoav, Why is it a a bad idea to include a DELETE payload in this case?
Because the IKE SA was not really created, so there is no IKE SA to delete.
It's a bad idea because it is superfluous, and we don't want to risk anyone
relying on this._______________________________________________
IPsec mailing list