On Tue, Dec 01, 2009 at 03:24:18PM +0200, Tero Kivinen wrote: > The section 1.2 says that if we get INTERNAL_ADDRESS_FAILURE then the > IKE SA stays up, but the child SA is not created. It does not say > anything what should happen on the initiator if it actually did > require address by policy.
Interactions like these show the hazards in integrating address configuration into a key exchange protocol. But since we've already thrown in with this since the days of MODE-CFG in IKEv1... > Perhaps adding following paragraph to the end of 3.15.4 would help: > ---------------------------------------------------------------------- > If the initiator does not receive the IP address(es) required by its > policy, it MAY keep the IKE SA up and retry the configuration > payload (as separate INFORMATIONAL exchange) after suitable timeout, > or it MAY also tear down the IKE SA (by sending DELETE payload > inside separate INFORMATIONAL exchange) and retry IKE SA from the > beginning after some longer timeout. The timeout should not be too > short (especially if the IKE SA is started from the beginning), as > these error situations will only be fixed when more entries are > returned to the address pool of the responder, thus it will not be > fixed in seconds, but more likely it takes several minutes. This is definitely the right idea. And the responder should already be able to react to either initiator choice (try with existing IKE SA, or deal with new IKE SA). Dan _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
