> > > Also note that as described in the RFC 4555 section 3.5 the mobike > > > requires retransmit of all outstanding IKE exchanges after the address > > > update, and we should most likely make a note of that here too. > > > > > > I.e. note that RFC4555 has following sentence: > > > ---------------------------------------------------------------------- > > > o If there are outstanding IKEv2 requests (requests for which the > > > initiator has not yet received a reply), continues retransmitting > > > them using the addresses in the IKE_SA (the new addresses). > > > ---------------------------------------------------------------------- > > > > > > This should be done even when moving from TCP to TCP. > > > > I think this is also already covered by 7.2, second clause > > (I slightly changed the text to make it more generic): > > > > o If a new TCP connection for the IKE SA is established while the > > exchange Initiator is waiting for a response, the Initiator MUST > > retransmit its request over this connection and continue to wait > > for a response. > > I think that partially covers it (of course there might be multiple > request, not just one, as the window size might be larger than one).
That's true, but I believe the current text covers it. Note, that this text is for the exchange initiator, so if multiple exchanges are initiated for an SA, then this requirement is applied for each of them and each outstanding request will be retransmitted. > I was just thinking repeating it here as this situation is much more > common with mobike, than just normal case. Actually, I'm not sure. TCP connections can be teared down (e.g. as result of attack) and reestablished quite frequently and each time it happens this requirement must be followed. > Also you might need to > retransmit the old requests over the new connection before you have > space in the window to actually send address update for mobike. OK. > So having few words here for mobike case would be useful too. > Especially pointing out that this is not specific to the TCP > encapsulation, this is generic thing that is done when using mobike > regardless whether you use TCP or not.. Probably we can just reference RFC 4555. How about adding the following para (I also quotet here a part of a previous para, since I noticed that RFC 4555 in fact doesn't contain normative language on these actions and thus we cannot use word "requires", more neutral tone is needed): [...] Section 3.5 of [RFC4555] states that a new INFORMATIONAL exchange with the UPDATE_SA_ADDRESSES notify is initiated in case the address (or transport) is changed while waiting for a response. Section 3.5 of [RFC4555] also states that once an IKE SA is switched to a new IP address, all outstanding requests in this SA are immediately retransmitted using this address. See also Section 7.2. Is it OK? Regards, Valery. > -- > kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
