Paul Hoffman writes: > Section 1.4.1 says: Normally, the reply in the INFORMATIONAL > exchange will contain delete payloads for the paired SAs going in > the other direction. There is one exception. If by chance both ends > of a set of SAs independently decide to close them, each may send a > delete payload and the two requests may cross in the network. > > But, Section 4 (conformance requirements), says: Every > implementation MUST be capable of responding to an INFORMATIONAL > exchange, but a minimal implementation MAY respond to any > INFORMATIONAL message with an empty INFORMATIONAL reply.
Support for deleting Child SAs is not required from minimal implementations. If you have implementation which does only support exactly one Child SA there is no point of deleting Child SAs separately, as there can be only one, and as it does not support CREATE_CHILD_SA exchanges, there is no way of creating new one. The conformance requirement will say that minimal implementation needs to send reply back to INFORMATIONAL exchange, but it can be empty, and that will leave the Child SA in half-closed state (which is allowed). Later when the SA is staying there for longer the other end will most likely notice the situation and clear it by restarting the IKE SAs (as explained in the 1.4.1). > What should we do? Changing the conformance requirement is pretty > serious, but not telling the other side that you understand the > Delete is also serious. So I do not think we need to do anything as minimal implementation is not required to understand delete notifications. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
