Yoav, Just for posterity, I agree with Scott's suggestion.
Dave Wierbowski From: Yoav Nir <y...@checkpoint.com> To: IPsecme WG <ipsec@ietf.org> Date: 09/30/2010 04:20 PM Subject: Re: [IPsec] Issue #189 - Reply is not needed for unprotected message containing QCD Sent by: ipsec-boun...@ietf.org OK. there were zero responses to this. Since this seems obvious to me, I will correct it as Scott suggests, and close the issue with the publication of -01. On Sep 21, 2010, at 2:58 PM, Yoav Nir wrote: > Hi all. > > We're starting discussions of the issues that are open for the failure detection draft. > > Reported by Scott C Moonen: > > What is the purpose of sending an empty response to the unprotected N (INVALID[_IKE]_SPI)&N(QCD_TOKEN)+ message? I'm not sure it provides any real value and would really prefer not to send it. Also, this contradicts a few "MUST NOT" statements in ikev2bis concerning how we handle unprotected messages; if the consensus is to keep this behavior then we should make clear that we are self-consciously breaking the rules here. > > > What Scott is referring to is the last paragraph of section 4.5: > If the QCD_TOKEN verifies OK, an empty response MUST be sent. If the > QCD_TOKEN cannot be validated, a response MUST NOT be sent. > Section 5 defines token verification. > > > I believe Scott is right. I don't know what I was thinking when I wrote this. In fact, I believe the name of the section should be changed (from "Presenting the Token in an INFORMATIONAL Exchange") because this is not an INFORMATIONAL exchange. > > If you can think of a reason why this needs to be like this instead of the following, please reply. > > If the QCD_TOKEN verifies OK, the IKE SA and its associated Child SAs > MUST be silently discarded. If the QCD_TOKEN cannot be validated, the > Notification MUST be ignored, and the incident MAY be logged. > _______________________________________________ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec