[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Error notification in IKE_AUTH response?



Hi,

Section 4.2 of the clarifications draft says that if the initiator
receives an error notification during IKE_AUTH, the IKE_SA is created
as usual _if_ the error is related to the CHILD_SA creation
piggybacked on the IKE_AUTH exchange (NO_PROPOSAL_CHOSEN,
TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, or
FAILED_CP_REQUIRED).

Presumably, the notification would be placed in the IKE_AUTH response
that would usually contain the SA/TSi/TSr payloads, and SA/TSi/TSr are
omitted. The peers could continue using the IKE_SA for new
INFORMATIONAL/CREATE_CHILD_SA exchanges, or if they don't want to,
must close the IKE_SA with an INFORMATIONAL exchange containing the
Delete payload.

However,  neither RFC4306 nor the clarifications draft explicitly 
says what should happen if an error notification other than those 
listed in Section 4.2 is received.

RFC 4306 Section 3.10.1 also says that "An implementation receiving a
Notify payload with one of these types that it does not recognize in a
response MUST assume that the corresponding request has failed
entirely." Presumably, this means that the IKE_SA has not been
succesfully created, so it cannot be used for any additional 
exchanges (such as Delete), and the conversation stops there.

But what about the other error notification types listed in Section
3.10.1, such as AUTHENTICATION_FAILED? Do they also mean that
creating the IKE_SA failed (and thus conversation stops there),
or would some of them allow continuing the use of the IKE_SA?
And explicitly deleting it with Delete payload if the IKE_SA
is not needed anymore?

Best regards,
Pasi

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec