Yaron Sheffer wrote:
>> {{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require
>> some special handling. When a responder receives an IKE_SA_INIT
>> request, it has to determine whether the packet is retransmission
>> belonging to an existing 'half-open' IKE_SA (in which case the
>> responder retransmits the same response), or a new request (in which
>> case the responder creates a new IKE_SA and sends a fresh response),
>> or it belongs to an existing IKE_SA where the IKE_AUTH request has
>> been already received (in which case the responder ignores it).
>
> Tero:
> There is also the case of the invalid KE and cookie notifies, i.e. we
> need to add comment about those too:
>
> ... or it belongs to an existing IKE_SA where the IKE_AUTH request
> has been already received (in which case the responder ignores it),
> or it is INVALID_KE_PAYLOAD or COOKIE notify responses to the
> IKE_SA_INIT request.
>
> Paul: Not done. This is interesting, but should be discussed on the list.
The current text is about processing of IKE_SA_INIT *requests* by
the responder, so talking about IKE_SA_INIT responses (such as
INVALID_KE_PAYLOAD) in the same sentence would be IMHO very confusing.
I'd suggest we keep this paragraph as is.
Best regards,
Pasi
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
