 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
| Hi Keith On Sep 3, 2008, at 12:34 AM, Keith Welter wrote: Suppose the initiator sends an SA payload that contains both an AH and ESP proposal. Before receiving the response, the initiator decides to close the half-open child SA. I assume that the informational request should include two delete payloads, one for AH and one for ESP. Is that correct? For this reason, it is not appropriate at this point to begin constructing the Informational message with the DELETE payloads, as this message will be nonsensical if the CCSA request is rejected. Instead, the initiator must wait until a response is received. Then it can either (1) do nothing, if the request was rejected or (2) delete the one SA that actually got created. Doing it as you propose, would definitely result in a DELETE message for a non-existing SA, which is bad, although I don't see any text in RFC 4306 or 4306bis about what action the responder should take when it receives such a request. It's probably not delete-the-ike-sa bad, but still something you shouldn't do. Related to that question, I don't see a requirement that all proposals in an SA payload have the same SPI. So, in this example, it would be permissible for the AH and ESP proposals to have different SPIs. Is that correct? Yes, that's correct. The SA payload is ready to offer protocols of variable SPI size, so while both AH and ESP use a 4-byte SPI, maybe someday we'll have superESP with an 8-byte SPI. In that case, an SA payload with two proposals, one for AH and the other for superESP would have to have different SPIs. As it is, it's still possible to use different values, but it's not a requirement. |
_______________________________________________ IPsec mailing list IPsec at ietf.org https://www.ietf.org/mailman/listinfo/ipsec