[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CP(CFG_REQUEST) required?
Gregory Lebovitz wrote:
<trimmed...>
> So here is the proposed text in sect 2.19:
>
> "Responder MUST not send a CFG_REPLY withouth having first received a
> CP(CFG_REQUEST) from Initiator, because we do not want the IRAS to perform
> an unneccesary configuration lookup if the IRAC cannot process the REPLY. In
> the case where the IRAS's configuration requires that CP be used for a given
> identity IDi, but IRAC has failed to send a CP(CFG_REQUEST), IRAS SHOULD
> fail the request, and terminate the IKE exchange with the appropriate error
> message.
Whatever form a CP payload ultimately takes, in the case where security
policy *requires* that the IRAS send the request and yet it does not,
shouldn't the language read "...IRAS MUST fail the request..." (MUST
rather than SHOULD)?
Scott