Section 2.8.2 Simultaneous IKE SA Rekeying states: If only one peer detects a simultaneous rekey, redundant SAs are not created. In this case, when the peer that did not notice the simultaneous rekey gets the request to rekey the IKE SA that it has already successfully rekeyed, it MUST return TEMPORARY_FAILURE because it is an IKE SA that it is currently trying to close (whether or not it has already sent the delete notification for the SA).
Section 2.25.2 (Collisions While Rekeying or Closing IKE SAs) states: If a peer receives a request to close an IKE SA that it is currently trying to close, it SHOULD reply as usual, and forget about its own close request. Based on the text in Section 2.25.2 it seems that perhaps the MUST in Section 2.8.2 is really a SHOULD. Or, based on the text in 2.8.2, the SHOULD in 2.25.2 should be a MUST. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
