Hi Paul,
You are adding two MUSTs, which we SHOULD NOT do unless we have very good
reasons, such as interop problems, security issues, or major functionality
problems (like memory leaks). I'm not sure any of these apply, so I suggest
that you change the wording to be non-normative.
Thanks,
Yaron
-----Original Message-----
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Paul
Hoffman
Sent: Monday, December 28, 2009 5:06
To: IPsecme WG
Subject: [IPsec] Clarifying what happens with INITIAL_CONTACT
IKEv2bis doesn't say what actually happens when you get a INITIAL_CONTACT
notification. In specific, it doesn't say what to do when you have to throw
away SAs. I propose to add the following to section 2.4:
If an initiator receives an INITIAL_CONTACT notification in
response to its IKE_AUTH request, it MUST internally delete any IKE
SAs and associated Child SAs for that responder without sending any
notifications to the responder. If a responder receives an
INITIAL_CONTACT notification in an IKE_AUTH request, it MUST
internally delete any IKE SAs and associated Child SAs for that
initiator without sending any notifications to the initiator.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
