Paul Hoffman writes: > s2.4, para 2, says "The INITIAL_CONTACT notification, if sent, MUST > be in the first IKE_AUTH request or response, not as a separate > exchange afterwards; receiving parties MAY ignore it in other > messages." > > What should receiving parties do if they *do* receive it and *don't* > ignore it? Since it 'MUST be sent in the first IKE_AUTH' receiving > at any other time is a protocol error and should cause some response > (like dropping the IKE_SA perhaps).
They either need to process is it or ignore it. The reason why we say it MUST be sent on first IKE_AUTH request or response, but MAY be ignored in other messages is because the original RFC4306 didn't have any restrictions where the INITIAL_CONTACT notification can be sent, thus to maintain backward compatiblity we still do allow it to be sent on other messages too, but implementations MAY ignore it there (the other option is to act based on it). Failing the IKE SA because the INITIAL_CONTACT notification was sent with other message would be incorrect, as we do not say INITIAL_CONTACT MUST NOT be sent anywhere else. I.e. even when we say it MUST be somewhere, that does not directly mean it would be protocol error to include it in some where else, especially when we indicate that it can be ignored on other messages. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
