On Sep 1, 2014, at 12:01 PM, Avishek Ganguly <[email protected]> wrote:
> Thanks Yoav for your explanation. > > > English is not my first language, so I’m not sure what “exclusive” means > > below, but I hope I can clarify anyways. > > By exclusive I mean NO_PROPOSAL_CHOSEN is an error that is not generated > because of any DH Group mismatches in KE Payload. > > > So it seems that INVALID_KE_PAYLOAD is an error that should be generated > during CREATE_CHILD_SA exchange. And NO_PROPOSAL_CHOSEN is appropriate for > IKE_SA_INIT. Because Before IKE_SA_INIT responder does not know which groups > initiator supports. When responder gets a IKE_SA_INIT with invalid DH GROUP > It should assume that there is some configuration issues from initiator side. > No. Both are appropriate in both exchanges. Both CCSA and IKE_SA_INIT have SA payloads and KE payloads. Since there is no requirement that the new (rekeyed) IKE SA have the same algorithms and groups of the old IKE SA, the proposals may be different. Regardless of whether we are creating a new authenticated IKE SA, a Child SA with PFS or a rekeyed IKE SA, you could have an empty intersection of group sets (leading to a NO_PROPOSAL_CHOSEN) or a wrong choice of group in KE payload (leading to INVALID_KE_PAYLOAD)
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
