Yoav Nir wrote: > I disagree. > > Payloads in a particular CREATE_CHILD_SA exchange should be > specifically related to the SA being created. The IKE_AUTH exchange > is different, because it is used to set up everything we need to get > an IPsec SA going.
If we were designing IKEv2 from scratch, I would agree with you. But we're not, so we're not discussing what would be the best design here, but rather whether this part of RFC 4306 is so horribly broken it absolutely needs to be changed (RFC 4306 is unambiguous that CPs are allowed in CREATE_CHILD_SA exchange). I think it's not broken, just somewhat ugly and inelegant... Best regards, Pasi (not wearing any hats) _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec