ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Paul Hoffman <paul.hoffman_at_nospam>
Date: Mon Sep 21 2009 - 14:19:04 GMT
To: Tero Kivinen <kivinen@iki.fi>

Thanks for the two editorial notes; fixed.

We want more input on the following:

At 3:28 PM +0300 9/21/09, Tero Kivinen wrote:
> > <t>NOTE FOR WG DISCUSSION: Having other payloads in the message is
>> allowed but there are none suggested. One WG member mentioned the
>> possibility of adding a DELETE payload when the error is sent in a
>> separate INFORMATIONAL exchange. Do we want to allow such additional
>> payloads that have operational semantics?</t>
>As I do not see any other reason to start new informational exchange
>when processing IKE_AUTH reply than fatal errors when creating it
>(i.e. AUTHENTICATION_FAILED) which already deletes the IKE SA, I do
>not see any benefit from adding DELETE notification to the message. It
>would be saying the same thing twice: "There was fatal error delete
>the sa, and by the way delete the sa."

--Paul Hoffman, Director
--VPN Consortium

IPsec mailing list