Looks good to me.
Yaron
-----Original Message-----
From: Paul Hoffman [mailto:paul.hoff...@vpnc.org]
Sent: Monday, December 28, 2009 17:36
To: Yaron Sheffer; IPsecme WG
Subject: Re: [IPsec] Clarifying what happens with INITIAL_CONTACT
At 5:28 PM +0200 12/28/09, Yaron Sheffer wrote:
>You are adding two MUSTs, which we SHOULD NOT do unless we have very good
>reasons, such as interop problems, security issues, or major functionality
>problems (like memory leaks). I'm not sure any of these apply, so I suggest
>that you change the wording to be non-normative.
Whoops, all good points. I got carried away. How about:
When an initiator receives an INITIAL_CONTACT notification in
response to its IKE_AUTH request, it silently deletes any IKE SAs and
associated Child SAs for that responder without sending any
notifications to the responder. If a responder receives an
INITIAL_CONTACT notification in an IKE_AUTH request, it silently
deletes any IKE SAs and associated Child SAs for that initiator
without sending any notifications to the initiator.
--Paul Hoffman, Director
--VPN Consortium
Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
