Hi Valery, I agree that generally retransmits are not useful or needed with TCP encapsulation. But as I see it, retransmits might actually be required in some situations. If the client sends e.g. a CREATE_CHILD_SA request but the TCP connection is closed or gets unusable for some reason before the server's response is received, the client has to reestablish the TCP connection. And the only way to do this (with window size 1, so no DPD or MOBIKE update can be sent) is to send a retransmit of the already sent message (otherwise the server might not know which TCP connection to use to send the CREATE_CHILD_SA response - I guess ESP packets could be used for that too, if there are any and there is a way to get notified in userland). On the other hand, RFC 8229 explicitly says that a responder should not consider retransmitted messages when deciding which TCP connections should be used...so I guess there is no way to recover properly if the TCP connection is severed mid-exchange (e.g. because a NAT device is rebooted or the client device roams between networks).
Regards, Tobias _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
