> IKE is a reliable protocol, in the sense that the initiator MUST > retransmit a request until either it receives a corresponding reply
> OR it deems the IKE security association to have failed and it > discards all state associated with the IKE_SA and any CHILD_SAs > negotiated using that IKE_SA. > > {{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require > some special handling. When a responder receives an IKE_SA_INIT > request, it has to determine whether the packet is retransmission > belonging to an existing 'half-open' IKE_SA (in which case the > responder retransmits the same response), or a new request (in which > case the responder creates a new IKE_SA and sends a fresh response), > or it belongs to an existing IKE_SA where the IKE_AUTH request has > been already received (in which case the responder ignores it). Tero: There is also the case of the invalid KE and cookie notifies, i.e. we need to add comment about those too: ... or it belongs to an existing IKE_SA where the IKE_AUTH request has been already received (in which case the responder ignores it), or it is INVALID_KE_PAYLOAD or COOKIE notify responses to the IKE_SA_INIT request. Paul: Not done. This is interesting, but should be discussed on the list.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec