http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/6
Yaron: Section 3.3.6, second paragraph: Assume a CREATE_CHILD_SA packet is received with SA payload proposal 1 D-H=2 ... proposal 2 D-H=0 ... KE payload D-H=2 ... Assume the responder wants to pick proposal number 2. Because the KE payload refers to D-H=2, the responder must return INVALID_KE_PAYLOAD, event though the responder could just select proposal 2 and omit the KE payload in the response. Paul: Sending INVALID_KE_PAYLOAD in this case certainly wasn't the intent, but you're right that the text doesn't explicitly say this. Yaron: Should we say something like: An exception is the case where one of the proposals offered is for D-H group NONE. In this case, the responder MUST ignore the initiator's KE payload and omit the KE payload from the response.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
