ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Tero Kivinen <kivinen_at_nospam>
Date: Tue Sep 08 2009 - 20:30:46 GMT
To: David Wierbowski <wierbows@us.ibm.com>


David Wierbowski writes:
> You are sending an informational notification, so how could you say the SA
> does not exist and no delete should be sent?

The IKE SA is NOT up and valid in the initiator. It is halfway up as the other end has not been authenticated, and that IKE SA cannot be used in general.

> If an authentication error is discovered when processing the IKE_AUTH
> response then responder thinks an IKE SA exists and the initiator intends
> to delete that SA. In this case it seems clean for the initiator to send
> an INFORMATIONAL exchange containing AUTHENTICATION_FAILED and treating the
> SA as being deleted. I do not see the harm in including a DELETE in this
> case and it seems to be a more appropriate action than sending the
> AUTHENTICATION_FAILED.
>
> I'm fine with not requiring the DELETE, but I don't think including the
> DELETE is bad and should be discouraged. I think it reinforces the
> initiator's intentions and is unambiguous.

If you use that kind of halfway up IKE SA for sending INFORMATIONAL message to other end (who thinks the IKE SA is up and valid), then I agree that sending both N(AUTHENTICATION_FAILED) and DELETE would be the correct way to do it. DELETE only would also be ok. Sending only N(AUTHENTICATION_FAILED) would be bit ambiquous, and I would not recommend that, but as initiator still do not have IKE SA up but has only halfway up SA, for initiator it does not matter what other end does for the INFORMATIONAL exchange anyways... -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec