ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Yoav Nir <ynir_at_nospam>
Date: Thu Sep 17 2009 - 21:48:08 GMT
To: Paul Hoffman <paul.hoffman@vpnc.org>

On Sep 17, 2009, at 7:03 PM, Paul Hoffman wrote:

> At 3:51 PM +0300 9/16/09, Tero Kivinen wrote:
>> For example the text could look something like this:
>> ----------------------------------------------------------------------
> Yoav, does Tero's proposed new text work for you?
> --Paul Hoffman, Director
> --VPN Consortium

It works for me. However, Keith Welter has a couple of issues with it:

The part about errors in IKE_AUTH exchanges (now 2.21.2) has several times the phrase "usually with no other payloads" or "and is usually the only payload in that response". To me this just means that we're not forbidding putting other payloads in the message, but we don't see why one would need it. Keith finds it unduly mysterious, and would like to mention the possibility of adding a DELETE payload when the error is sent in a separate INFORMATIONAL. I don't like the idea of having an optional payload with no added semantics, but I do think that any implementation should be able to handle this extra payload.

Also, the phrase "or the INFORMATIONAL exchange immediately following it" (same section) should be clarified to state that it's an INFORMATIONAL exchange initiated by the original initiator to send an error message about the IKE_AUTH exchange.

Other than that, yes, I think you can copy & paste it into the bis.

IPsec mailing list