Section 1.4.1 also says: "A node MAY refuse to accept incoming data on half-closed connections but MUST NOT unilaterally close them and reuse the SPIs."
So if your peer is only responding with empty INFORMATIONAL responses to your deletes, you're going to accumulate more and more stale inbound SAs. One of these statements has to go. ________________________________________ From: ipsec-boun...@ietf.org [ipsec-boun...@ietf.org] On Behalf Of Paul Hoffman [paul.hoff...@vpnc.org] Sent: Tuesday, December 15, 2009 20:55 To: IPsecme WG Subject: [IPsec] Issue #128: Can implementations not reply fully to Deletes? Section 1.4.1 says: Normally, the reply in the INFORMATIONAL exchange will contain delete payloads for the paired SAs going in the other direction. There is one exception. If by chance both ends of a set of SAs independently decide to close them, each may send a delete payload and the two requests may cross in the network. But, Section 4 (conformance requirements), says: Every implementation MUST be capable of responding to an INFORMATIONAL exchange, but a minimal implementation MAY respond to any INFORMATIONAL message with an empty INFORMATIONAL reply. What should we do? Changing the conformance requirement is pretty serious, but not telling the other side that you understand the Delete is also serious. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
