Think I have discovered a small inconsistency in RFC 7296 with regards to the actions a node shall take if it received ESP packets with an unknown SPI. In section 1.5 it’s stated:
“In the first case, if the receiving node has an active IKE SA to the IP address from whence the packet came, it MAY send an INVALID_SPI notification of the wayward packet over that IKE SA in an INFORMATIONAL exchange.” The works “In the first case” refers to a case where the node received an ESP packet with unknown SPI. Thus in this case it’s a MAY statement to initiate the INFORMATIONAL exchange. In section 2.21.4 it’s stated: “If an error occurs outside the context of an IKE request (e.g., the node is getting ESP messages on a nonexistent SPI), the node SHOULD initiate an INFORMATIONAL exchange with a Notify payload describing the problem.” So in this case it’s a SHOULD statement to initiate the INFORMATIONAL exchange. To me these statement are a bit confusing, is it a SHOULD or MAY to initiate an INFORMATIONAL exchange when receiving ESP packets with unknown SPI? (assuming an IKE SA is established). In my humble opinion section 2.21.4 should be updated to say MAY but I might have missed something 😊
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
