Hi Pasi, On 5/28/09 10:38 AM, "pasi.ero...@nokia.com" wrote:
> Vijay Devarapalli wrote: > >> In the redirect-during-IKE_AUTH cases, the only time the IKEv2 SA is >> not valid is when EAP is used and the redirect is done based on the >> unauthenticated ID. In all other cases, the IKEv2 SA is valid and >> should be torn down with an INFORMATIONAL exchange. >> >> IMHO, this is clear enough and is captured in the current draft. > > Well.. I'm a bit skeptical about it being clear to folks who didn't > participate in writing this draft. I would be worried if that is the case. But, IMO, the draft currently clearly describes when the IKEv2 SA is valid and when it needs to be explicitly deleted. > And having these two cases is more > complex than having just one (IKE_SA is not used for any more > exchanges). What benefits does this additional complexity (both > in spec and in implementation) get us? > > If nothing, let's just remove it.... When the AUTH payloads are exchanged and verified, the IKEv2 SA is valid. This seems straightforward. We are not doing anything out of the ordinary here by not invalidating the IKEv2 SA just because the gateway sent the REDIRECT payload to the client. I can imagine extensions tomorrow that would let the client convey additional information using the IKEv2 SA to the gateway, after the gateway had sent a REDIRECT payload to the client. Vijay > > Best regards, > Pasi > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
