Hi Tero, > [talking as individual and one of RFC7296 authors, not as WG chair]. > > Toerless Eckert writes: > > On Wed, Jun 17, 2020 at 08:55:12PM -0400, Paul Wouters wrote: > > > The RFC states: > > > > > > The USE_TRANSPORT_MODE notification MAY be included in a request > > > message that also includes an SA payload requesting a Child SA. It > > > requests that the Child SA use transport mode rather than tunnel mode > > > for the SA created. If the request is accepted, the response MUST > > > also include a notification of type USE_TRANSPORT_MODE. If the > > > responder declines the request, the Child SA will be established in > > > tunnel mode. > > At this point the responder already created an Child SA in tunnel > mode, and when the initiator receives that message from the responder > it will also create the Child SA in tunnel mode. Responder might > already be sending traffic at this point.
The initiator is not obliged to actually create the Child SA if it violates its policy (i.e. to actually load it into kernel). It's true that it should immediately send a Delete Payload in this case as if the SA has been created and then deleted, but it doesn't mean that it should actually create the Child SA to send the Delete payload. Regards, Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
