On Wed, Jun 17, 2020 at 08:55:12PM -0400, Paul Wouters wrote:
> The RFC states:
>
> The USE_TRANSPORT_MODE notification MAY be included in a request
> message that also includes an SA payload requesting a Child SA. It
> requests that the Child SA use transport mode rather than tunnel mode
> for the SA created. If the request is accepted, the response MUST
> also include a notification of type USE_TRANSPORT_MODE. If the
> responder declines the request, the Child SA will be established in
> tunnel mode. If this is unacceptable to the initiator, the initiator
> MUST delete the SA.
>
>
> But note that the responder has already installed the IPsec SA in tunnel
> mode. So if the initiator finds that unacceptable, it must send the
> delete. During all this time, connectivity between the nodes will be
> blocked. The intention here is that transport mode is optional and
> should not be mandated by other protocols. Otherwise, the IKEv1
> style negoation of transport OR tunnel mode would have been kept.
How about my mails ask that i read this text such that the initiator will
delete the SA (not only client SA) if transport mode is not supported
be responder. Aka: the last two sentences to me describe exactly the
case where the initiator can/want only support transport mode.
Aka: i can not read your interpretation into this text.
Please answer the other questions from my reply mail.
> So I would recommend to follow the intention of RFC 7296 and not make
> up your own restrictions.
Again, i had a lot of arguments in my email that i need to see answers
to so that we can make progress here.
Cheers
Toerless
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
