pasi.ero...@nokia.com writes: > - Section 1.5: I noticed the 1st paragraph nowadays (well, since -00 > of the WG draft) allows sending INVALID_IKE_SPI notification inside an > existing IKE_SA. This contradicts a MUST NOT in RFC 4306, and I'm not > sure if it really brings any benefits?
There is no way to send INVALID_IKE_SPI inside IKE SA, as the section 3.10 says that the IKE SPI is never sent inside the notification payload (For a notification concerning the IKE SA, the SPI Size MUST be zero and the field must be empty.) and the IKE SPI is taken from the packet. Sending INVALID_IKE_SPI inside IKE SA would mean that the IKE SA you are sending the packet inside is invalid... The section 2.21.4 is very clear that INVALID_IKE_SPI MUST NOT be cryptographically protected, i.e. it is sent outside the IKE SA. I think the 1st paragraph is quite wrong and the If the receiving node has an active IKE SA to the IP address from whence the packet came, it MAY send a notification of the wayward packet over that IKE SA in an INFORMATIONAL exchange. part should be removed. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
