The section 1.2 says that if we get INTERNAL_ADDRESS_FAILURE then the
IKE SA stays up, but the child SA is not created. It does not say
anything what should happen on the initiator if it actually did
require address by policy.
I think we have two options:
1) Tear down the IKE SA (by sending DELETE payload inside
INFORMATIONAL exchange) and try again after suitable timeout.
2) Keep the existing IKE SA up, but retry the configuration payload
exchange again after suitable timeout by starting new INFORMATIONAL
exchange and putting same configuration payloads in it.
I think we might want mention something about this in the section 1.2,
or section 3.15.4 Address Assignment Failures.
Most likely the section 3.15.4 is better, but we might want to add
forward reference from section 1.2 to there.
Section 3.15.4 do explain how the responder can behave in different
situations, but it does not cover what initiator should do.
Perhaps adding following paragraph to the end of 3.15.4 would help:
--
If the initiator does not receive the IP address(es) required by its
policy, it MAY keep the IKE SA up and retry the configuration
payload (as separate INFORMATIONAL exchange) after suitable timeout,
or it MAY also tear down the IKE SA (by sending DELETE payload
inside separate INFORMATIONAL exchange) and retry IKE SA from the
beginning after some longer timeout. The timeout should not be too
short (especially if the IKE SA is started from the beginning), as
these error situations will only be fixed when more entries are
returned to the address pool of the responder, thus it will not be
fixed in seconds, but more likely it takes several minutes.
--
kivi...@iki.fi
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
