Yoav Nir wrote:
Hi Raj
Matt is correct. There is no way in IKEv2 to do a phase1-only exchange,
and then wait for traffic to establish the child SAs.
While we do establish an IKE SA if the piggy-backed child SA failed for
whatever reason (bad selectors, no proposal chosen), we don't allow for
an IKE_AUTH exchange that is missing the child payloads.
An IKE_AUTH request without the TSi and TSr payloads is
considered malformed, and so MUST NOT be processed. Instead, you should
reply with INVALID_SYNTAX
That really seems like a bug in the spec to me.
I know that in my code I don't get upset about such a situation, as I
have unit test cases that were written when I didn't have child SA code
at all. I wonder how many implementations really would get upset?
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
