Tero Kivinen wrote: > > If it's not an interop issue, and not a security issue, then I'm > > not sure if mandating such check is needed. But are there some > > security implications? > > I agree that there is no real need to mandate such check, but if > IKEv2 tester implementations are requiring such check that will be > de-facto requirement to add such check, as otherwise you will not > pass their tests. > > So for that it is interoperability issue, as you cannot pass their > interoperability tests if you do not check it. So thats why I think > it would be good to say that either it is valid to check only your > own SPI or that you MUST check both spis.
Hmm, I see your point -- if even tester implementors have been confused, it certainly would be good to say *something* about this in the specification. (But since this is about interaction with non-compliant implementations, I don't really care which way we choose..) Best regards, Pasi _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
