Tobias Brunner writes: > > The SA that the initiator attempted to rekey is > > indicated by the Protocol ID and SPI fields in the Notify payload, > > which are copied from the Protocol ID and SPI fields in the REKEY_SA > > notification. > > Hm, I just noticed that we (strongSwan) implement that incorrectly as we > send the CHILD_SA_NOT_FOUND notify without SPI (or protocol ID). What's > the purpose of repeating that information in the notify? There can only > be a single REKEY_SA notify in the request, so how could there be any > confusion for the exchange initiator about which SA wasn't found by the > responder?
I do not think there is any real purpose, but the cases where you need to return CHILD_SA_NOT_FOUND usually means something unexpected happened, and repeating the information might be helpful for debugging that case. The text was added in the draft-ietf-ipsecme-ikev2bis-07 when creating RFC5996 (January 2010), and has not been changed since... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
