[Ipsec] Questions about internal address

[Yoav Nir <ynir at checkpoint.com>]

Hi.

I've read sections 2.19 and 4, and I still have two questions about 
internal addressing:

1. The initiator may send a CFG_REQUEST during the AUTH exchange.  
There are several cases for the responder:
   (A) - the responder does not support CFG
   (B) - the responder supports CFG, but policy says that this user 
does not get it.
   (C) - the responder supports CFG, but not only for IPv4 addresses, 
and the client asked for IPv6 (or vice versa)
   (D) - the responder supports CFG, but its pool is exhausted (or the 
external server is down)

If my understanding is correct, in case (A) the responder will not send 
a CFG_REPLY.  It makes sense that in case (B) the responder will do the 
same.  The question is about cases (C) and (D). I'm assuming that 
internal addresses are not mandatory.  Is there a way to indicate the 
failure to the initiator so that the initiator can decide whether to 
tear down the connection?  Would it be appropriate to send a CFG_REPLY 
with the internal address equal to zero as an indication of failure, or 
MUST the gateway simply not send a CFG_REPLY?

2. Section 4 refers to renewal before the ADDRESS_EXPIRY elapses.  How 
is this renewal performed?  MUST it be done with a CCSA exchange even 
if the SA is not expired?  Can it be done in an informational exchange 
like the APPLICATION_VERSION query?

Thanks, and maybe the answers should go in the clarifications draft.

Yoav


_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec