Hi Tero, It make sense. The same point i want to make, if we as a responder are not going to process the packet, there is NO need to add IDr and AUTH with INVALID_SYNTAX during IKE_AUTH.
Regards, Raj On Wed, Apr 22, 2009 at 4:43 PM, Tero Kivinen <kivi...@iki.fi> wrote: > Matthew Cini Sarreo writes: > > You still need the IDr and AUTH payloads in the reply. This is needed as > > INVALID_SYNTAX is authenticated and encrypted. > > INVALID_SYNTAX is fatal error meaning that other end didn't follow the > protocol specification, and the IKE SA is going to be removed anyways, > and there is not really point of putting AUTH payload there (it can be > there, but there is no need). > > If the other end is not following protocol specification (i.e. is > non-complient), there is not really point of trying to be nice. This > is something that cannot be seen by normal customers ever, it should > only be seen by the implementors when they are testing against broken > implementations. > > So better just send error message back as it is easiest for your > implementation (i.e. if it is easy to include AUTH etc to the error > message, then do so, if not, then leave them out). > -- > kivi...@iki.fi >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
