[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CP(CFG_REQUEST) required?

To: Gregory Lebovitz <Gregory@netscreen.com>
Subject: Re: CP(CFG_REQUEST) required?
From: "Scott G. Kelly" <scott@airespace.com>
Date: Mon, 03 Mar 2003 09:50:56 -0800
CC: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>, "'charlie_kaufman@notesdev.ibm.com'" <charlie_kaufman@notesdev.ibm.com>, "Darren Dukes (E-mail)" <ddukes@cisco.com>
Organization: airespace
References: <541402FFDC56DA499E7E13329ABFEA87E66A72@SARATOGA.netscreen.com>
Sender: owner-ipsec@lists.tislabs.com

Gregory Lebovitz wrote:
<trimmed...> 
> So here is the proposed text in sect 2.19:
> 
> "Responder MUST not send a CFG_REPLY withouth having first received a
> CP(CFG_REQUEST) from Initiator, because we do not want the IRAS to perform
> an unneccesary configuration lookup if the IRAC cannot process the REPLY. In
> the case where the IRAS's configuration requires that CP be used for a given
> identity IDi, but IRAC has failed to send a CP(CFG_REQUEST), IRAS SHOULD
> fail the request, and terminate the IKE exchange with the appropriate error
> message.

Whatever form a CP payload ultimately takes, in the case where security
policy *requires* that the IRAS send the request and yet it does not,
shouldn't the language read "...IRAS MUST fail the request..." (MUST
rather than SHOULD)?

Scott

Follow-Ups:
- RE: CP(CFG_REQUEST) required?
  - From: "Darren Dukes" <ddukes@cisco.com>

References:
- RE: CP(CFG_REQUEST) required?
  - From: Gregory Lebovitz <Gregory@netscreen.com>

Prev by Date: RE: suites vs. a la carte and IPcomp in IKEv2-05
Next by Date: RE: Another NAT Traversal question
Prev by thread: RE: CP(CFG_REQUEST) required?
Next by thread: RE: CP(CFG_REQUEST) required?
Index(es):
- Date
- Thread