Joy Latten wrote: > > I think Tero's proposal about just noting this fact (i.e. not > > changing how this work) would be OK and sufficient. > > I could be missing something, but RFC4301, section 4.1 allows > implementations to use the SPI in conjunction with the IPsec protocol > for SA identification. So, if someone is in that latter case, wouldn't > they have a problem?
Well... depends on whether the recipient of the notification actually uses the SPI value for something (other than possibly debugging/logging). The "INVALID_SPI" notification basically means "I've rebooted, or our understanding of IPsec/IKEv2 state is otherwise screwed up". If this was an unprotected one-way notification, the recipient would it as a hint that things might be wrong, and initiates a liveness test for the IKE_SA. If it was a protected notification, it probably means an implementation bug somewhere, and a possible action would be to create a new IKE_SA (and new CHILD_SAs) from scratch. In neither case, the recipient really needs the SPI value for anything.. Best regards, Pasi _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
