Michael Richardson wrote: > Yoav Nir wrote: > > Hi Raj > > > > Matt is correct. There is no way in IKEv2 to do a phase1-only > > exchange, and then wait for traffic to establish the child SAs. > > > > While we do establish an IKE SA if the piggy-backed child SA failed > > for whatever reason (bad selectors, no proposal chosen), we don't > > allow for an IKE_AUTH exchange that is missing the child payloads. > > > > An IKE_AUTH request without the TSi and TSr payloads is considered > > malformed, and so MUST NOT be processed. Instead, you should reply > > with INVALID_SYNTAX > > That really seems like a bug in the spec to me. > I know that in my code I don't get upset about such a > situation, as I have unit test cases that were written when I > didn't have child SA code at all. I wonder how many > implementations really would get upset?
Mine wouldn't. But the spec is adamant. Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
