Hi all.
We're starting discussions of the issues that are open for the failure
detection draft.
Reported by Scott C Moonen:
What is the purpose of sending an empty response to the unprotected
N(INVALID[_IKE]_SPI)N(QCD_TOKEN)+ message? I'm not sure it provides any real
value and would
Reported by Yaron Sheffer:
I would have preferred the token to be resistant to stealing (and duplication),
in which case it can be sent in the *first* AUTH message. If we ensure that the
token maker's SPI is long/random (see below), this might be possible.
The relevant part of the document