Keith Welter writes:
I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
either.
I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
deleted immediately after sending that response containing
INVALID_SYNTAX and if I receive INVALID_SYNTAX notification I will
Keith Welter writes:
In this case, the INVALID_SYNTAX could relate to the SA, TSi or TSr
payload in the
IKE_AUTH response which would would mean that creation of the CHILD SA
failed,
not the IKE SA. I think INVALID_SYNTAX is ambiguous here without an
explicit delete
payload for
On Sep 7, 2009, at 3:48 PM, Tero Kivinen wrote:
Keith Welter writes:
I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
either.
I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
deleted immediately after sending that response containing
INVALID_SYNTAX
Yoav Nir writes:
OK. Let's try this again. Is this acceptable?
2.21. Error Handling
There are many kinds of errors that can occur during IKE processing.
If a request is received that is badly formatted, or unacceptable
for
reasons of policy (e.g., no matching cryptographic
Yoav Nir writes:
I wish that were true, but here's what the draft says about
INVALID_SYNTAX
INVALID_SYNTAX7
Indicates the IKE message that was received was invalid because
some type, length, or value was out of range or because the
Yoav Nir writes:
I think MAY is better than SHOULD there, or even forbidding this
completely.
As said before I do not know any implementation which does this now,
and there is also problem that there is no way to correlate the
INFORMATIONAL exchange to the exchange which caused this