Hi Yoav, If check for mandatory payloads per exchange type is MUST, if it fails we MUST return INVALID_SYNTAX, why we are not saying it explicitly in the draft ? Putting it clearly in the draft make more sense and avoids many confusions.
Thanks, Raj On Wed, May 6, 2009 at 7:24 PM, Yoav Nir <y...@checkpoint.com> wrote: > Hi Michael > > > Let me suggest a situation where perhaps I would like to > > bring up an IKE_SA and not a CHILD_SA: it might be for just > > sending initial contact, and perhaps even a DELETE. > > > > I sometimes move quickly from being "outside" my IPsec > > gateway/firewall (such as being on wireless), to being wired > > behind the gateway, where I do not need IPsec. The DPD > > doesn't kick off fast enough, and my traffic goes to where I > > am no longer. It would be nice to bring up the IKE_SA (or... > > haha, resume it), just so that I can send a delete and/or > > initial_contact. > > A far more common situation is when I'm "outside", not moving anywhere, and > I want to connect. I haven't even opened my mail client yet, or launched > the browser (because those thing hate it when the VPN client changes routing > to addresses they are trying to reach). > > The reason I want to connect before everything else, is that connecting > involves some effort (typing the PKCS#12 password, entering a username and > password, copying the OTP from the cellphone to the computer...). I want to > get this over with, but there's still no packet to derive selectors from. > > With IKEv1 we had the separate Main Mode and then Quick Mode. Now we can't > do Main Mode without attempting Quick Mode. > > > Seems like to do this, once needs to include a > > known-to-be-unacceptable CHILD_SA proposal. > > Actually it doesn't have to be acceptable, as the IKE_AUTH will succeed > even if the piggy-backed CHILD_SA fails. > > Now I would never suggest that anyone use a traffic selectors type from the > private range (241-255) which is almost guaranteed to fail... > > Yoav > Email secured by Check Point > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
