Hello Raj,
According to Appendix C, for IKE_AUTH:
error in Child SA <-- IDr, [CERT+],
creation AUTH,
N(error),
[V+]
So sending an authenticated and encrypted INVALID_SYNTAX notification over
the IKE_SA that has just been authenticated seems to be correct.
Regards,
Matt
>
> 2009/4/22 raj singh <rsjen...@gmail.com>
>
>> Hi Matt,
>>
>> There is possibility of just IKEv2 SA gets established during IKE_AUTH and
>> IPsec SA getting established via CREATE_CHILD_SA.
>> The question is what behavior RFC mandate ? What you think ?
>>
>> Thanks for your reply.
>>
>> Regards,
>> Raj
>>
>>
>> On Wed, Apr 22, 2009 at 11:40 AM, Matthew Cini Sarreo
>> <mci...@gmail.com>wrote:
>>
>>> In IKE_AUTH TSi and TSr are mandatory, so it is not possible to omit them
>>> from an authentication exchange message, as there would be no way for the SA
>>> to know what traffic should be forwarded through the SA.
>>>
>>> It seems that the correct error message would be INVALID_SYNTAX. This
>>> would require the message ID and the checksum to be valid. Note that this
>>> has (may only) be sent in an encrypted response.
>>>
>>> Please correct me if I am wrong.
>>>
>>> Regards,
>>> Matt
>>>
>>>
>>>> 2009/4/22 raj singh <rsjen...@gmail.com>
>>>>
>>>>> Hi Group,
>>>>>
>>>>> What is the expected behavior if as a responder we do not receive TSi
>>>>> and TSr in IKE_AUTH exchange ?
>>>>> Shall we go ahead and establish IKEv2 SA ? If yes, shall we send out
>>>>> TSi and TSr ?
>>>>> Or we should reject the packet ?
>>>>> If we reject the packet during packet validation with doing ID and AUTH
>>>>> payload processing, what ERROR should be send ?
>>>>>
>>>>> Thanks,
>>>>> Raj
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> IPsec mailing list
>>>>> IPsec@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
