IKEv2bis doesn't say what actually happens when you get a INITIAL_CONTACT notification. In specific, it doesn't say what to do when you have to throw away SAs. I propose to add the following to section 2.4:
If an initiator receives an INITIAL_CONTACT notification in response to its IKE_AUTH request, it MUST internally delete any IKE SAs and associated Child SAs for that responder without sending any notifications to the responder. If a responder receives an INITIAL_CONTACT notification in an IKE_AUTH request, it MUST internally delete any IKE SAs and associated Child SAs for that initiator without sending any notifications to the initiator. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
