Hi Kalyani. One way or the other, it has to be mandatory. The "dread" scenario is that one peer thinks the IKE SA is set up, while the other thinks that it is not.
>From the discussion of Ticket #9, the consensus seems to be that with all >those child-SA specific reasons, the IKE SA is set up - it is not silently >discarded. Of course, IKE SAs are usually not set up as for their own sake, but as a means to the end - the child SA. So if setting up the child SA fails, either peer may decide that keeping the IKE SA is a waste of memory. In that case either side can delete the IKE SA, but only by doing it explicitly with a DELETE payload in an INFORMATIONAL exchange. Hope this helps Yoav > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kalyani Garigipati (kagarigi) > Sent: Wednesday, April 01, 2009 8:56 AM > To: Paul Hoffman > Cc: [email protected] > Subject: Re: [IPsec] Ticket #9 > > Hi Paul, > > My question was , during the AUTH exchange if failure happens > due to reasons like NO_PROPOSAL_CHOSEN, TS_UNACCEPTABLE, > SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and > FAILED_CP_REQUIRED, Should we still bring IKEV2 SA as usual? > RFC says we can still bring the > IKeV2 SA as usual, but my doubt is if this is mandatory or optional? > > My question was not during Child SA Creation. > > Regards, > kalyani > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Paul Hoffman > Sent: Tuesday, March 31, 2009 11:38 PM > To: Kalyani Garigipati (kagarigi) > Cc: [email protected] > Subject: Re: [IPsec] Ticket #9 > > At 5:32 PM +0530 3/31/09, Kalyani Garigipati (kagarigi) wrote: > >Hi , > > > >Please clarify the following . > > > >1. Is it mandatory or optional (implementation dependent) to > create an > >IKEV2 sa when IKE_AUTH exchange fails for reason like > >NO_PROPOSAL_CHOSEN, TS_UNACCEPTABLE, > >SINGLE_PAIR_REQUIRED,INTERNAL_ADDRESS_FAILURE, and > FAILED_CP_REQUIRED ? > > I am unclear on what you are asking. The IKE SA is already > set up when the child SA creation fails. Thus, it does not > need to be created. > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. > Email secured by Check Point _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
