Keith Welter writes:
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
> either.
I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
deleted immediately after sending that response containing
INVALID_SYNTAX and if I receive INVALID_SYNTAX notification I will
i
Keith Welter writes:
> In this case, the INVALID_SYNTAX could relate to the SA, TSi or TSr
> payload in the
> IKE_AUTH response which would would mean that creation of the CHILD SA
> failed,
> not the IKE SA. I think INVALID_SYNTAX is ambiguous here without an
> explicit delete
> payload for
On Sep 7, 2009, at 3:48 PM, Tero Kivinen wrote:
> Keith Welter writes:
>> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
>> either.
>
> I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
> deleted immediately after sending that response containing
> INVALID_
Yoav Nir writes:
> OK. Let's try this again. Is this acceptable?
>
> 2.21. Error Handling
>
> There are many kinds of errors that can occur during IKE processing.
> If a request is received that is badly formatted, or unacceptable
> for
> reasons of policy (e.g., no matching crypto
On Sep 7, 2009, at 4:41 PM, Tero Kivinen wrote:
> Yoav Nir writes:
>> OK. Let's try this again. Is this acceptable?
>>
>> 2.21. Error Handling
>>
>>There are many kinds of errors that can occur during IKE
>> processing.
>>If a request is received that is badly formatted, or unacceptabl
Yoav Nir writes:
> I wish that were true, but here's what the draft says about
> INVALID_SYNTAX
>
> INVALID_SYNTAX7
> Indicates the IKE message that was received was invalid because
> some type, length, or value was out of range or because the
>
Yoav Nir writes:
> > I think MAY is better than SHOULD there, or even forbidding this
> > completely.
> >
> > As said before I do not know any implementation which does this now,
> > and there is also problem that there is no way to correlate the
> > INFORMATIONAL exchange to the exchange which cau
