> {{ Clarif-7.7 }} There are two cases when such a one-way notification> is sent: INVALID_IKE_SPI and INVALID_SPI. These notifications are > sent outside of an IKE_SA. Note that such notifications are > explicitly not Informational exchanges; these are one-way messages > that must not be responded to. In case of INVALID_IKE_SPI, the > message sent is a response message, and thus it is sent to the IP > address and port from whence it came with the same IKE SPIs and the > Message ID copied. In case of INVALID_SPI, however, there are no IKE > SPI values that would be meaningful to the recipient of such a > notification. Using zero values or random values are both > acceptable. Tero: In a sense INVALID_MAJOR_VERSION is also this kind of notification which is sent outside of an IKE_SA, although it is sent as a response to the incoming IKE SA creation. Perhaps we should note this fact here? Paul: Not done. This is interesting, but should be discussed on the list.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
