Re: [IPsec] Issue #189 - Reply is not needed for unprotected message containing QCD

Thu, 30 Sep 2010 20:11:42 -0700 

Yoav,

Just for posterity, I agree with Scott's suggestion.

Dave Wierbowski






From:       Yoav Nir <y...@checkpoint.com>
To:         IPsecme WG <ipsec@ietf.org>
Date:       09/30/2010 04:20 PM
Subject:    Re: [IPsec] Issue #189 - Reply is not needed for unprotected
            message containing QCD
Sent by:    ipsec-boun...@ietf.org



OK. there were zero responses to this. Since this seems obvious to me, I
will correct it as Scott suggests, and close the issue with the publication
of -01.

On Sep 21, 2010, at 2:58 PM, Yoav Nir wrote:

> Hi all.
>
> We're starting discussions of the issues that are open for the failure
detection draft.
>
> Reported by Scott C Moonen:
>
> What is the purpose of sending an empty response to the unprotected N
(INVALID[_IKE]_SPI)&N(QCD_TOKEN)+ message? I'm not sure it provides any
real value and would really prefer not to send it. Also, this contradicts a
few "MUST NOT" statements in ikev2bis concerning how we handle unprotected
messages; if the consensus is to keep this behavior then we should make
clear that we are self-consciously breaking the rules here.
>
>
> What Scott is referring to is the last paragraph of section 4.5:
>   If the QCD_TOKEN verifies OK, an empty response MUST be sent.  If the
>   QCD_TOKEN cannot be validated, a response MUST NOT be sent.
>   Section 5 defines token verification.
>
>
> I believe Scott is right. I don't know what I was thinking when I wrote
this. In fact, I believe the name of the section should be changed (from
"Presenting the Token in an INFORMATIONAL Exchange") because this is not an
INFORMATIONAL exchange.
>
> If you can think of a reason why this needs to be like this instead of
the following, please reply.
>
>   If the QCD_TOKEN verifies OK, the IKE SA and its associated Child SAs
>   MUST be silently discarded. If the QCD_TOKEN cannot be validated, the
>   Notification MUST be ignored, and the incident MAY be logged.
> _______________________________________________

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to