Re: Don't remove TS from IKEv2

[Mike Ditto <ford@incog.com>]

> If what you are saying was true I'd agree but I believe it is both useful
> and possible to do. Useful because I have been on the receiving end of
> a report from the field with the specificity of "the pings stopped" and
> it was just this capability that was used to figure out why. Possible to
> do because I've done it.

I think it would be just as easy to diagnose that situation if you got
an ICMP message with an appropriate reason code.  Maybe even easier,
because the user would get an error message from the ping program
saying "traffic denied by security policy" instead of calling you for
help.  (And yes, I think there should be some new ICMP codes defined
for this sort of thing, but even the existing codes could make the
above situation clear.)

This is is a problem that can be solved generally as an IPsec issue,
it doesn't have to be solved by each key management protocol.

And if the service was something less trivial than "ping" you probably
wouldn't have been able to get as far as you did, because either the
tunnel wouldn't have been established at all (because the initiator's
selectors, wide enough to allow the potential range of traffic the
service entails, would be rejected by the responder) or because the
service would just silently fail (because the initiator's selectors,
narrow enough to be accepted by the responder, didn't include all of
the traffic that the service entails).

					-=] Mike [=-