[IPsec] Issue #161, was: RE: More Issues for IKEv2bis

Sun, 07 Feb 2010 22:34:12 -0800 

Issue #161 should have referred to 2.21.2, not to 2.21. But reading the text 
again, I am happy with the way it's worded in -07.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
> Of Yoav Nir
> Sent: Monday, February 08, 2010 8:00
> To: IPsecme WG
> Subject: [IPsec] More Issues for IKEv2bis
> 
> 
> Issue #161 - Contradiction re: authentication failure
> =====================================================
> 2.21: the first paragraph says that if an auth failure occurs at the
> responder, AUTHENTICATION_FAILED is included in the protected response
> (to IKE_AUTH), while the last paragraph says it's a separate
> Informational exchange.
> 
> I think this has already been fixed, no?  Here's the text:
> 2.21.  Error Handling
> 
> 
>    There are many kinds of errors that can occur during IKE processing.
>    The general rule is that if a request is received that is badly
>    formatted, or unacceptable for reasons of policy (such as no
> matching
>    cryptographic algorithms), the response contains a Notify payload
>    indicating the error.  The decision whether or not to send such a
>    response depends whether or not there is an authenticated IKE SA.
> 
>    If there is an error parsing or processing a response packet, the
>    general rule is to not send back any error message because responses
>    should not generate new requests (and a new request would be the
> only
>    way to send back an error message).  Such errors in parsing or
>    processing response packets should still cause the recipient to
> clean
>    up the IKE state (for example, by sending a DELETE for a bad SA).
> 
>    Only authentication failures (AUTHENTICATION_FAILED) and malformed
>    messages (INVALID_SYNTAX) lead to a deletion of the IKE SA without
>    requiring an explicit INFORMATIONAL exchange carrying a DELETE
>    payload.  Other error conditions MAY require such an exchange if
>    policy dictates that this is needed.
> 
> 
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to