Hi Team, One more question. The INVALID_SYNTAX notify in response to missing payload in IKE_AUTH should be send encrypted using DH keys or unencrypted ?
Thanks, raj On Fri, May 15, 2009 at 10:12 AM, raj singh <rsjen...@gmail.com> wrote: > Hi Yoav, > > If check for mandatory payloads per exchange type is MUST, if it fails we > MUST return INVALID_SYNTAX, why we are not saying it explicitly in the draft > ? Putting it clearly in the draft make more sense and avoids many > confusions. > > Thanks, > Raj > > > > On Wed, May 6, 2009 at 7:24 PM, Yoav Nir <y...@checkpoint.com> wrote: > >> Hi Michael >> >> > Let me suggest a situation where perhaps I would like to >> > bring up an IKE_SA and not a CHILD_SA: it might be for just >> > sending initial contact, and perhaps even a DELETE. >> > >> > I sometimes move quickly from being "outside" my IPsec >> > gateway/firewall (such as being on wireless), to being wired >> > behind the gateway, where I do not need IPsec. The DPD >> > doesn't kick off fast enough, and my traffic goes to where I >> > am no longer. It would be nice to bring up the IKE_SA (or... >> > haha, resume it), just so that I can send a delete and/or >> > initial_contact. >> >> A far more common situation is when I'm "outside", not moving anywhere, >> and I want to connect. I haven't even opened my mail client yet, or >> launched the browser (because those thing hate it when the VPN client >> changes routing to addresses they are trying to reach). >> >> The reason I want to connect before everything else, is that connecting >> involves some effort (typing the PKCS#12 password, entering a username and >> password, copying the OTP from the cellphone to the computer...). I want to >> get this over with, but there's still no packet to derive selectors from. >> >> With IKEv1 we had the separate Main Mode and then Quick Mode. Now we can't >> do Main Mode without attempting Quick Mode. >> >> > Seems like to do this, once needs to include a >> > known-to-be-unacceptable CHILD_SA proposal. >> >> Actually it doesn't have to be acceptable, as the IKE_AUTH will succeed >> even if the piggy-backed CHILD_SA fails. >> >> Now I would never suggest that anyone use a traffic selectors type from >> the private range (241-255) which is almost guaranteed to fail... >> >> Yoav >> Email secured by Check Point >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
