At 11:24 AM +0200 1/19/10, Tero Kivinen wrote: >pasi.ero...@nokia.com writes: >> - Section 1.5: I noticed the 1st paragraph nowadays (well, since -00 >> of the WG draft) allows sending INVALID_IKE_SPI notification inside an >> existing IKE_SA. This contradicts a MUST NOT in RFC 4306, and I'm not >> sure if it really brings any benefits? > >There is no way to send INVALID_IKE_SPI inside IKE SA, as the section >3.10 says that the IKE SPI is never sent inside the notification >payload (For a notification concerning the IKE SA, the SPI Size MUST >be zero and the field must be empty.) and the IKE SPI is taken from >the packet. Sending INVALID_IKE_SPI inside IKE SA would mean that the >IKE SA you are sending the packet inside is invalid... > >The section 2.21.4 is very clear that INVALID_IKE_SPI MUST NOT be >cryptographically protected, i.e. it is sent outside the IKE SA. > >I think the 1st paragraph is quite wrong and the > > If the receiving node has an active IKE SA to the IP address from > whence the packet came, it MAY send a notification of the wayward > packet over that IKE SA in an INFORMATIONAL exchange. > >part should be removed.
Done. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
