Issue #161 should have referred to 2.21.2, not to 2.21. But reading the text
again, I am happy with the way it's worded in -07.
Thanks,
Yaron
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Yoav Nir
> Sent: Monday, February 08, 2010 8:00
> To: IPsecme WG
> Subject: [IPsec] More Issues for IKEv2bis
>
>
> Issue #161 - Contradiction re: authentication failure
> =====================================================
> 2.21: the first paragraph says that if an auth failure occurs at the
> responder, AUTHENTICATION_FAILED is included in the protected response
> (to IKE_AUTH), while the last paragraph says it's a separate
> Informational exchange.
>
> I think this has already been fixed, no? Here's the text:
> 2.21. Error Handling
>
>
> There are many kinds of errors that can occur during IKE processing.
> The general rule is that if a request is received that is badly
> formatted, or unacceptable for reasons of policy (such as no
> matching
> cryptographic algorithms), the response contains a Notify payload
> indicating the error. The decision whether or not to send such a
> response depends whether or not there is an authenticated IKE SA.
>
> If there is an error parsing or processing a response packet, the
> general rule is to not send back any error message because responses
> should not generate new requests (and a new request would be the
> only
> way to send back an error message). Such errors in parsing or
> processing response packets should still cause the recipient to
> clean
> up the IKE state (for example, by sending a DELETE for a bad SA).
>
> Only authentication failures (AUTHENTICATION_FAILED) and malformed
> messages (INVALID_SYNTAX) lead to a deletion of the IKE SA without
> requiring an explicit INFORMATIONAL exchange carrying a DELETE
> payload. Other error conditions MAY require such an exchange if
> policy dictates that this is needed.
>
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
