Vijay Devarapalli wrote: > In the redirect-during-IKE_AUTH cases, the only time the IKEv2 SA is > not valid is when EAP is used and the redirect is done based on the > unauthenticated ID. In all other cases, the IKEv2 SA is valid and > should be torn down with an INFORMATIONAL exchange. > > IMHO, this is clear enough and is captured in the current draft.
Well.. I'm a bit skeptical about it being clear to folks who didn't participate in writing this draft. And having these two cases is more complex than having just one (IKE_SA is not used for any more exchanges). What benefits does this additional complexity (both in spec and in implementation) get us? If nothing, let's just remove it.... Best regards, Pasi _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
