Vijay Devarapalli writes: > The draft currently requires the client to delete the SA once it > receives the REDIRECT message from the gateway. I do not want the > gateway to delete the SA right away. The gateway should allow the > client to setup the necessary security associations with the new > gateway before deleting the SA with the existing gateway, if that is > what the client wants to do. The current text is to handle the case > where for some reason the gateway does not receive the DELETE payload > from the client. Note that this shouldn't happen normally. The gateway > garbage collects the SA after a certain time period. I don't think the > gateway needs to send a DELETE payload at this point.
I disagree with that. If gateway decides to delete the IKE SA, it needs to send DELETE payload in that case. The only case where you do not send DELETE payload is when you delete the IKE SA because some exchange over the IKE SA timed out (i.e. other end didn't respond). In that timeout case there is no point of sending DELETE payload, as most likely that will not reach the other end any better than the original exchange, thus it will also timeout. In this redirect case the client might just be slow, or it might be that the gateway where client was redirected to does not respond, and client does not delete the old IKE SA before it gets new one up and running. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
