Hi Tero, Thanks for your valuable inputs. Please find re inputs inline. <Raj>
On Wed, Jul 8, 2009 at 1:00 AM, Tero Kivinen <kivi...@iki.fi> wrote: > Raj Singh writes: > > Your suggestion of having "critical" bit set on childless notify/VID > payload > > from initiator in IKE_SA_INIT exchange will define the bahavior as > mentioned > > below. > > That is not correct way of using critical bit. Critical bit means that > if it is set and the PAYLOAD TYPE is not understood, then > UNSUPPORTED_CRITICAL_PAYLOAD error is reported. Every implementation > will understand Notify and Vendor ID payloads, thus they will never > return UNSUPPORTED_CRITICAL_PAYLOAD regardless what the contents of > those payloads are. <Raj> I was under impression that we can have "critical" bit in childless IKE_AUTH notify/VID. Even Yaron also clarified in same thread that we need new exchange type to have "critical" bit on it. > > > > If initiator want to childless IKE_AUTH, it will send CHILDLESS_IKE_AUTH > > notify/VID payload having "critical" flag SET in IKE_SA_INIT request. > > And complient implentation will do what to do as RFC4306 says ie: > > ... MUST be ignored by the recipient if the recipient > understands the payload type code. MUST be set to zero for > payload types defined in this document. Note that the critical > bit applies to the current payload rather than the "next" > payload whose type code appears in the first octet. The > reasoning behind not setting the critical bit for payloads > defined in this document is that all implementations MUST > understand all payload types defined in this document and > therefore must ignore the Critical bit's value. Skipped payloads > are expected to have valid Next Payload and Payload Length > fields. > > The correct way to do is to make new exchange type for this new > childless IKE_SA_INIT & IKE_AUTH. That way old implenentations will > then know that they do not understand this new type and will drop the > packets. This is if you really want the property that if responder > does not understand chieldless IKE_AUTH you do not want to continue at > all. > > I have not yet read the draft, as I have been too busy with working > group drafts already, and I still do not know if this is really needed > at all... <Raj> If we can't have "critical" bit inside associated data of childless notify/VID, then new exchange type is a near possibility. Please have a look at the use cases in the draft for need of this draft. > > -- > kivi...@iki.fi > With Regards, Raj
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
