[email protected] writes: > Yaron Sheffer wrote: > > >> {{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require > >> some special handling. When a responder receives an IKE_SA_INIT > >> request, it has to determine whether the packet is retransmission > >> belonging to an existing 'half-open' IKE_SA (in which case the > >> responder retransmits the same response), or a new request (in which > >> case the responder creates a new IKE_SA and sends a fresh response), > >> or it belongs to an existing IKE_SA where the IKE_AUTH request has > >> been already received (in which case the responder ignores it). > > > > Tero: > > There is also the case of the invalid KE and cookie notifies, i.e. we > > need to add comment about those too: > > > > ... or it belongs to an existing IKE_SA where the IKE_AUTH request > > has been already received (in which case the responder ignores it), > > or it is INVALID_KE_PAYLOAD or COOKIE notify responses to the > > IKE_SA_INIT request. > > > > Paul: Not done. This is interesting, but should be discussed on the list. > > The current text is about processing of IKE_SA_INIT *requests* by > the responder, so talking about IKE_SA_INIT responses (such as > INVALID_KE_PAYLOAD) in the same sentence would be IMHO very confusing.
Hmm... true, missed that it was only talking from the responders side, not from the initiator side. > I'd suggest we keep this paragraph as is. I agree on that now when I reread the section. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
