[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CP(CFG_REQUEST) required?

To: "Scott G. Kelly" <scott@airespace.com>, "Gregory Lebovitz" <Gregory@netscreen.com>
Subject: RE: CP(CFG_REQUEST) required?
From: "Darren Dukes" <ddukes@cisco.com>
Date: Mon, 3 Mar 2003 12:58:33 -0500
Cc: <ipsec@lists.tislabs.com>, <charlie_kaufman@notesdev.ibm.com>
Importance: Normal
In-Reply-To: <3E639600.3F1639AF@airespace.com>
Reply-To: <ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com



> From: Scott G.Kelly
>
> Gregory Lebovitz wrote:
> <trimmed...>
> > So here is the proposed text in sect 2.19:
> >
> > "Responder MUST not send a CFG_REPLY withouth having first received a
> > CP(CFG_REQUEST) from Initiator, because we do not want the IRAS
> to perform
> > an unneccesary configuration lookup if the IRAC cannot process
> the REPLY. In
> > the case where the IRAS's configuration requires that CP be
> used for a given
> > identity IDi, but IRAC has failed to send a CP(CFG_REQUEST), IRAS SHOULD
> > fail the request, and terminate the IKE exchange with the
> appropriate error
> > message.
>
> Whatever form a CP payload ultimately takes, in the case where security
> policy *requires* that the IRAS send the request and yet it does not,
> shouldn't the language read "...IRAS MUST fail the request..." (MUST
> rather than SHOULD)?

I agree.

Darren

>
> Scott

Follow-Ups:
- RE: CP(CFG_REQUEST) required?
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- Re: CP(CFG_REQUEST) required?
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: RE: Another NAT Traversal question
Next by Date: RE: suites vs. a la carte and IPcomp in IKEv2-05
Prev by thread: Re: CP(CFG_REQUEST) required?
Next by thread: RE: CP(CFG_REQUEST) required?
Index(es):
- Date
- Thread