On Tue, Feb 02, 2010 at 02:49:11PM -0800, Paul Hoffman wrote: > In a few places in the new section 2.23.1 in IKEv2bis, it says that one > must have a trigger packet when starting negotiation. This assumption > should be removed so as not to cause new requirements in IKEv2bis: there is > no requirement for trigger packets in RFC 4306 or in the rest of IKEv2bis.
BTW, this change makes a path to no-child-SA AUTH exchanges simpler. It's much simpler to have a no-child-SA creation of an IKE SA when you aren't initiating in the service of a triggering packet. > - "When the client starts creating the IKEv2 SA and Child SA for sending > traffic to the server, it has a triggering packet with source IP address of > IP1, and a destination IP address of IPN2" should be changed to "...it may > have a triggering packet...". This new text is fine. > - "The first traffic selector of TSi and TSr SHOULD have very specific > traffic selectors including protocol and port numbers from the packet > triggering the request" should be changed to "...SHOULD have very specific > traffic selectors including protocol and port numbers, such as from the > packet...". As is this new text. Dan _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec