Yaron Sheffer wrote: > Hi Pasi, > > Tero's mail gives a clearer explanation of the situation than your > proposed text. Gluing the two together, how about replacing your > last paragraph with: > > If the failure is related to creating the IKE SA (for example, > AUTHENTICATION_FAILED), the IKE_SA is not created. Note that > although the IKE_AUTH messages are encrypted and integrity > protected, if the peer receiving this notification has not > authenticated the other end yet (or if the peer fails to > authenticate the other end for some reason), the information needs > to be treated with caution. More precisely, (assuming that the MAC > verifies correctly) the sender of the error indication is known to > be the responder of the IKE_SA_INIT exchange, but the sender's > identity cannot be assured.
Looks good to me! Best regards, Pasi > > -----Original Message----- > > From: pasi.ero...@nokia.com > > Sent: Monday, May 04, 2009 15:09 > > To: kivi...@iki.fi; ipsec@ietf.org > > Subject: Re: [IPsec] Issue #9: Notification when creation of CHILD_SA > > fails > > > > Tero, > > > > What do you think of the proposed text here? > > > > http://www.ietf.org/mail-archive/web/ipsec/current/msg04096.html > > > > Best regards, > > Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
