raj singh writes: > The INVALID_SYNTAX notify in response to missing payload in IKE_AUTH should > be send encrypted using DH keys or unencrypted ?
As it is clear that other end is not following the specification, i.e. there is bug on the other end, there is no need to think that much what you should do in that case. That situation never happens in normal case, so use the easiest way out. For me that is silently destroy the IKE SA without sending any error codes back. There is debug prints indicating the problem (but nothing for release build). There is no point of thinking what to do in situations that only happens during interop testing events when testing against broken implementations... Just make sure your implementation cleanly clears the situation (i.e. does not crash, or read uninitialized buffers etc) and thats it. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
