Hi, I am wondering how SPI collision is considered by IKEv2, and have not found any documentation on it, so if there are some, please let me know.
My current understanding is that when an CREATE_CHILD_SA exchange is performed the Initiator and Responder announce the SPI in the SA payload. If the Initiator announces an SPI that is already used by the Responder (with another peer), the Responder cannot accept this proposition and must send an error message. I haven't found anything like this in RFC5996. Am I missing something ? Furthermore I cannot find any message for this error. INVALID_SPI does not seems to be used for the creating of an SPI, but only if an ESP/AH/IKE packet comes with an unrecognized SPI. In addition it seems the Notify Payload MUST be sent out of the IKE_SA.... Can anyone tell me which error message is used? BR Daniel -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec