Hi Tero,
Going back to the original issue: there is no interoperable way to send
"generic dummy packets". So it's OK if we mention dummy ESP packets, but
anything else would be implementation specific. Even pings.
Thanks,
Yaron
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Tero Kivinen
> Sent: Monday, February 08, 2010 19:28
> To: Yoav Nir
> Cc: ipsec
> Subject: [IPsec] Yet another closing session - issues #153-#157
>
>
> > Issue #154 - Sending dummy messages during rekey
> > ================================================
> > Sec. 2.8: "An initiator MAY send a dummy message on a newly created
> > SA if it has no messages queued in order to assure the responder
> > that the initiator is ready to receive messages."
> > A dummy (higher level protocol) message on an IPsec SA is way out of
> > scope. Whether such messages even exist is a matter of local
> > implementation.
> > Or does the document refer to "dummy ESP messages" (RFC 4303, sec.
> > 2.6)? If so, please add the reference.
> >
> > I suspect that some implementations do not implement TFC, and so had
> > no reason to implement dummy messages. If this was a MUST here or
> > even a SHOULD, I would definitely object, but this is a MAY-level
> > requirement.
> >
> > I think we can close this by replacing "MAY send a dummy message on
> > a newly created SA..." with "MAY send a dummy ESP message on a newly
> > created ESP SA..." (added ESP twice, because there are no dummy
> > messages in AH), and add a normative reference to RFC 4303 - no need
> > IMO to link from the text.
>
> How about changing it to just say that "initiator can send a dummy
> message ...".
>
> And the dummy message is not necessarely only those ones described in
> the RFC4303 section 2.6, it can be anything that is suitable for the
> scenario.
>
> For example in the vpn setup where SA is set up during the autostart
> it can be simple ping packet or it can be just udp packet discard port
> whether is suitable for the environment.
>
> This text is not describing what the dummy packet is, it is just
> saying you might want to (and can) send such packet to make sure other
> end knows you have the Child SA installed properly, so they can start
> sending packets back.
>
> I do not think we really need to change anything in this text.
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
