Tero, I agree with your analysis (I hadn't noticed that this doesn't even work).
Best regards, Pasi > -----Original Message----- > From: ext Tero Kivinen [mailto:kivi...@iki.fi] > Sent: 19 January, 2010 11:25 > To: Eronen Pasi (Nokia-NRC/Helsinki) > Cc: ipsec@ietf.org > Subject: INVALID_IKE_SPI inside IKE SA (was: [IPsec] IKEv2bis, comments > about sections 1-2) > > pasi.ero...@nokia.com writes: > > - Section 1.5: I noticed the 1st paragraph nowadays (well, since -00 > > of the WG draft) allows sending INVALID_IKE_SPI notification inside > > an > > existing IKE_SA. This contradicts a MUST NOT in RFC 4306, and I'm not > > sure if it really brings any benefits? > > There is no way to send INVALID_IKE_SPI inside IKE SA, as the section > 3.10 says that the IKE SPI is never sent inside the notification > payload (For a notification concerning the IKE SA, the SPI Size MUST > be zero and the field must be empty.) and the IKE SPI is taken from > the packet. Sending INVALID_IKE_SPI inside IKE SA would mean that the > IKE SA you are sending the packet inside is invalid... > > The section 2.21.4 is very clear that INVALID_IKE_SPI MUST NOT be > cryptographically protected, i.e. it is sent outside the IKE SA. > > I think the 1st paragraph is quite wrong and the > > If the receiving node has an active IKE SA to the IP address from > whence the packet came, it MAY send a notification of the wayward > packet over that IKE SA in an INFORMATIONAL exchange. > > part should be removed. > -- > kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
