Hi Matt, There is possibility of just IKEv2 SA gets established during IKE_AUTH and IPsec SA getting established via CREATE_CHILD_SA. The question is what behavior RFC mandate ? What you think ?
Thanks for your reply. Regards, Raj On Wed, Apr 22, 2009 at 11:40 AM, Matthew Cini Sarreo <mci...@gmail.com>wrote: > In IKE_AUTH TSi and TSr are mandatory, so it is not possible to omit them > from an authentication exchange message, as there would be no way for the SA > to know what traffic should be forwarded through the SA. > > It seems that the correct error message would be INVALID_SYNTAX. This would > require the message ID and the checksum to be valid. Note that this has (may > only) be sent in an encrypted response. > > Please correct me if I am wrong. > > Regards, > Matt > > >> 2009/4/22 raj singh <rsjen...@gmail.com> >> >>> Hi Group, >>> >>> What is the expected behavior if as a responder we do not receive TSi and >>> TSr in IKE_AUTH exchange ? >>> Shall we go ahead and establish IKEv2 SA ? If yes, shall we send out TSi >>> and TSr ? >>> Or we should reject the packet ? >>> If we reject the packet during packet validation with doing ID and AUTH >>> payload processing, what ERROR should be send ? >>> >>> Thanks, >>> Raj >>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>> >> >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
