On Wed, 14 Oct 2015, Hema Tripathi (hetripat) wrote:
I am trying to interpret the following excerpt from the RFC-5996.
“ The USE_TRANSPORT_MODE notification MAY be included in a request
message that also includes an SA payload requesting a Child SA. It
requests that the Child SA use transport mode rather than tunnel mode
for the SA created. If the request is accepted, the response MUST
also include a notification of type USE_TRANSPORT_MODE. If the
responder declines the request, the Child SA will be established in
tunnel mode. If this is unacceptable to the initiator, the initiator
MUST delete the SA.”
Its the last two lines in this paragraph that are not clear to me. My doubt is
regarding the following line,
"If the responder declines the request, the Child SA will be established in tunnel mode”.
It uses "will be “, so not sure if that’s a MUST or implementation's choice. If
responder declines the request, is CHILD SA s
till established in tunnel mode?
I think the reason it uses "will be" is that the responder will first
install the IPsec SA in tunnel mode, then send its IKE_AUTH reply that
states to the initiator "no transport mode" so then the initiator "will"
have to install the SA in transport mode.
To be honest, I don't even know what our implementation currently does,
I think it might just send back NO_PROPOSAL_CHOSEN. (We don't like
parental SA's without children)
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
