Looks good to me. Yaron
-----Original Message----- From: Paul Hoffman [mailto:paul.hoff...@vpnc.org] Sent: Monday, December 28, 2009 17:36 To: Yaron Sheffer; IPsecme WG Subject: Re: [IPsec] Clarifying what happens with INITIAL_CONTACT At 5:28 PM +0200 12/28/09, Yaron Sheffer wrote: >You are adding two MUSTs, which we SHOULD NOT do unless we have very good >reasons, such as interop problems, security issues, or major functionality >problems (like memory leaks). I'm not sure any of these apply, so I suggest >that you change the wording to be non-normative. Whoops, all good points. I got carried away. How about: When an initiator receives an INITIAL_CONTACT notification in response to its IKE_AUTH request, it silently deletes any IKE SAs and associated Child SAs for that responder without sending any notifications to the responder. If a responder receives an INITIAL_CONTACT notification in an IKE_AUTH request, it silently deletes any IKE SAs and associated Child SAs for that initiator without sending any notifications to the initiator. --Paul Hoffman, Director --VPN Consortium Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec