Hi. It's true that the standard is more geared to full implementations than those minimal implementations, but in this case there really is no solution.
The minimal implementation can delete the IKE SA that was created and start fresh with a single pair. But since the responder is also not fully-functional - it cannot handle complex selectors - there is no way that you can get to a state where you cover all the selectors in the initiator's policy. The responder requires multiple SAs, while the initiator requires just one for the same policy. On Apr 22, 2010, at 3:42 PM, V Jyothi-B22245 wrote: > Hi, > > I find an issue in case of minimal implementations. > Minimal implementations may not support CREATE_CHILD_SA exchanges, CHILD > SA gets created as part of AUTH exchange. > > In this case, if the responder sends SINGLE_PAIR_REQUIRED, minimal > implementations cannot start CREATE_CHILD_SA exchange and minimal > implementation should not establish IKE SA because CHILD SA is not yet > established and it may not be right solution to maintain the > SINGLE_PAIR_REQUIRED notify reception information to use it in new IKEv2 > exchange. > Instead initiator can try sending AUTH request with single traffic > selectors. > > Thanks > Jyothi > > > -----Original Message----- > From: Tero Kivinen [mailto:[email protected]] > Sent: Thursday, April 22, 2010 4:39 PM > To: V Jyothi-B22245 > Cc: [email protected] > Subject: Re: [IPsec] I-D ACTION:draft-ietf-ipsecme-ikev2bis-10.txt > > V Jyothi-B22245 writes: >> Hi, >> >> In section 2.9. Traffic Selector Negotiation, >> >> The SINGLE_PAIR_REQUIRED error indicates that a CREATE_CHILD_SA >> request is unacceptable because its sender is only willing to > accept >> traffic selectors specifying a single pair of addresses. The >> requestor is expected to respond by requesting an SA for only the >> specific traffic it is trying to forward. >> >> Above paragraph gives the clarity of what action to take when >> SINGLE_PAIR_REQUIRED notify type received in case of CREATE_CHILD_SA >> exchanges. >> >> Suppose if the SINGLE_PAIR_REQUIRED notify type is received in AUTH >> response, how initiator should act upon it? >> Can initiator resend AUTH request with different TSi and TSr payloads >> or it should establish IKE SA and then start CREATE_CHILD_SA exchange? > > It will establish IKE SA even when the Child SA creation failed. > > What it does next depends on the implementation. Normal implementation > will simply do CREATE_CHILD_SA with better traffic selectors, and create > Child SA that way. Some implementation might simply mark the specific > rule so that it requires exact traffic selectors, and wait for next > packet hitting that rule before starting CREATE_CHILD_SA (this is needed > if the first Child SA creation in the IKE_AUTH was done because of > auto-start rule, i.e. there is no traffic yet, thus the initiator does > not know the exact traffic selectors). > -- > [email protected] > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
