On Thu, 2009-03-12 at 11:14 +0100, pasi.ero...@nokia.com wrote: > Joy Latten wrote: > > > > I think Tero's proposal about just noting this fact (i.e. not > > > changing how this work) would be OK and sufficient. > > > > I could be missing something, but RFC4301, section 4.1 allows > > implementations to use the SPI in conjunction with the IPsec protocol > > for SA identification. So, if someone is in that latter case, wouldn't > > they have a problem? > > Well... depends on whether the recipient of the notification actually > uses the SPI value for something (other than possibly debugging/logging). > > The "INVALID_SPI" notification basically means "I've rebooted, or our > understanding of IPsec/IKEv2 state is otherwise screwed up". If this > was an unprotected one-way notification, the recipient would it as a > hint that things might be wrong, and initiates a liveness test for the > IKE_SA. If it was a protected notification, it probably means an > implementation bug somewhere, and a possible action would be to create > a new IKE_SA (and new CHILD_SAs) from scratch. In neither case, the > recipient really needs the SPI value for anything.. > Ah, ok, that is true. That makes sense. Thanks for explaining.
regards, Joy _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec