> > Another approach would be to generalize the Transform Type 5 > > as the way to control the replay protection status > > (see draft-ietf-ipsecme-g-ikev2-07, Section 2.6.) > > I guess that depends on what implementations do when seeing a > Transform Type 5 value with bit 1 set. Would we really want > the Child SA to fail on such unknown value? > > In that sense, a NOTIFY seems more safe. Unknown status notify's > are ignored. And using notify shows more clearly it is a notification, > not a negotiation?
Good point. In G-IKEv2 there is a provisioning instead of negotiation, so there is no such a problem. Regards, Valery. > Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
