I agree. On Dec 26, 2012, at 7:58 PM, Valery Smyslov <sva...@gmail.com> wrote:
> Hi Yaron, > > oh, you've catched one more error in this text - it mixed up terms "ticket" > (used in RFC5723 as Session Resumption ticket) and "token" > (used in RFC6290 as QCD token). I din't notice that. You are right, > that "ticket" (Session Resumption) is sent in IKE_SESSION_RESUME, > but RFC6290 talks where QCD token must be sent. And from my understanding > of the whole protocol it must not be sent in clear under any circumstances > (otherwise eavesdropper can easily tear down IKE SA), so the only logical > place for it in case of IKE SA resumption is IKE_AUTH exchange > that immediately follows IKE_SESSION_RESUME. So, I think, > correct text should be: > > For session resumption, as specified in [RFC5723], the situation is > similar. The responder, which is necessarily the peer that has > crashed, SHOULD send a new QCD_TOKEN in IKE_AUTH exchange > that immediately followes IKE_SESSION_RESUME exchange. > If the Initiator is also a token maker, it needs to send a QCD_TOKEN in > the same IKE_AUTH exchange. > > Best wishes, > Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
