Hi Matt. You can't initiate INFORMATIONAL exchanges before the IKE_AUTH exchange(s) concluded successfully.
Section 2.3 prohibits sending INVALID_MESSAGE_ID in responses, so you don't use that for the IKE_AUTH exchange. If the IKE_AUTH exchange contains invalid message IDs, these requests MUST be ignored. I don't think you ever begin to use the message window until after the IKE_AUTH exchange, and INVALID_MESSAGE_ID is not some kind of MALFORMED_PACKET. It's specifically to tell the other side about window problems. Hope this helps Yoav > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] > On Behalf Of Matthew Cini Sarreo > Sent: Monday, April 20, 2009 10:10 AM > To: ipsec@ietf.org > Subject: [IPsec] IKEv2 INVALID_MESSAGE_ID > > If an implementation decides to send the INVALID_MESSAGE_ID > notification, shoild it ONLY send this after an IKE_AUTH > exchange has been completed? It seems to be so as section 2.3 > states that an INFORMATIONAL exchange is started, but it is > not clear what should be done if a message of the two initial > exchanges has an invalid message id (an implementation should > always use 0 for IKE_SA_INIT and 1 for IKE_AUTH, but what if > this does not happen?) > Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
