> IKE is a reliable protocol, in the sense that the initiator MUST > retransmit a request until either it receives a corresponding reply
> OR it deems the IKE security association to have failed and it
> discards all state associated with the IKE_SA and any CHILD_SAs
> negotiated using that IKE_SA.
>
> {{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require
> some special handling. When a responder receives an IKE_SA_INIT
> request, it has to determine whether the packet is retransmission
> belonging to an existing 'half-open' IKE_SA (in which case the
> responder retransmits the same response), or a new request (in which
> case the responder creates a new IKE_SA and sends a fresh response),
> or it belongs to an existing IKE_SA where the IKE_AUTH request has
> been already received (in which case the responder ignores it).
Tero:
There is also the case of the invalid KE and cookie notifies, i.e. we
need to add comment about those too:
... or it belongs to an existing IKE_SA where the IKE_AUTH request has
been already received (in which case the responder ignores it), or
it is INVALID_KE_PAYLOAD or COOKIE notify responses to the
IKE_SA_INIT request.
Paul: Not done. This is interesting, but should be discussed on the list.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
