not wearing any hats
1) The new versions since the previous WGLC introduced a number of
additional steps (e.g. nonce payload, clarifying PAD etc.) to the
redirection process, but currently these are spread over the whole
document, or in some cases, partly missing (e.g. the document never
says
Yaron Sheffer wrote:
{{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require
some special handling. When a responder receives an IKE_SA_INIT
request, it has to determine whether the packet is retransmission
belonging to an existing 'half-open' IKE_SA (in which case the
responder
Yaron Sheffer wrote:
Yaron:
2.9: I believe it is more appropriate to describe PFKEY as an API,
rather than protocol.
Paul: Not done, for the list.
I agree that API would be clearer here.
Best regards,
Pasi
___
IPsec mailing list
Yaron Sheffer wrote:
Yoav:
Patricia noted in a post to the IPsec mailing list (12/12/2008) that
section 2.19 says that request for such a temporary address can be
included in any request to create a CHILD_SA (including the implicit
request in message 3) by including a CP payload.
IMO the
Yaron Sheffer wrote:
[Sec. 3.15.1:]
Tero:
The text 'The requested address is valid until there are no IKE_SAs
between the peers.' is incorrect, it most likely should say 'The
requested address is valid as long as this IKE SA (or its rekeyed
successors) requesting the address is
Tero Kivinen wrote:
Paul Hoffman writes:
It was pointed out that (a) this is a new MUST and
Yes, but it can mostly be already deducted from the requirement that
end node cannot violate its own policy, meaning it needs to delete
Child SA which are not following his policy. If that is
Section 3 says:
The gateway MUST include the nonce data from the Ni payload sent by
the initiator in the REDIRECT payload. This prevents certain Denial-
but the figures showing how redirect is done does not include Ni data
in the N(REDIRECT, IP_R). Also as GW identity can also be FQDN, it
