On Fri, 15 Jan 2016, Yaron Sheffer wrote:
Sec. 2.6: When a responder detects a large number of half-open IKE SAs, it SHOULD reply to IKE_SA_INIT requests with a response containing the COOKIE notification. The data associated with this notification MUST be between 1 and 64 octets in length (inclusive), and its generation is described later in this section.
Wow you are right. I searched multiple times and missed it. Clearly it should not have been thrown in as an afterthought for "When a responder detects a large number of ....". :( Okay, I'll update the blog post and our code :P Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
