As it is, RFC 4306 mandates that if the problem is only with the CHILD SA
payloads, then all the IKE SA payloads (including the AUTH and CFG) should be
returned, followed by a child SA error (like NO_PROPOSAL_CHOSEN) which fails
only the child SA.
I agree that scenario (c) is not really solvabl
Hello Yoav,
Are you suggesting that in this scenario the initiator will not tear down the
IKE SA on getting a CHILD SA specific error (NO_PROPOSAL_CHOSEN) for the AUTH
exchange response ?
Shouldn't the IKE SA also be torn down because while the error notify doesn't
explicitly fail the AUTH there
Hi Yoav,
So, we have 2 solutions:
1. New "Childless" payload with "critical" bit send by initiator
Pros:
i. Helps initiator and responder to have finer policy to allow/deny
childless IKE_AUTH.
ii. Responder will not process IKE_SA_INIT if Initiator wants only
childless IKE_AUTH
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions Working
Group of the IETF.
Title : Internet Key Exchange Protocol: IKEv2
Author(s) : C. Kaufman, et al.
