Ticket #9 says"If the authentication fails in such ways that the entries cannot create IKE SA (authentication failure or similar), then the response will be unencrypted, unauthenticated notify." Back in January there was additional discussion about this issue. Several people supported sending the response as an encrypted, authenticated notify. The reason being that the only entity who can send an encrypted, authenticated notify is the person with knowledge of SK_e* and SK_a*.
Have we reach a decision yet? I thought we decided it was ok to send an encrypted, authenticated notify in this case and the initiator could take action on it because he knows it came from the person that he performed the DH exchange with, but the ticket does not reflect that. Dave Wierbowski
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
