On Fri, 25 Sep 2015, Tero Kivinen wrote:
Minimal implementations do not support CREATE_CHILD_SA requests and MUST
reply to those with a CREATE_CHILD_SA reply containing the NO_ADDITIONAL_SAS
error notify payload.
We could find a middle ground using "Minimal implementations that
do not support CREATE_CHILD_SA requests MUST ...."
I do not want to add such MUSTs which changes the RFC7296.
I don't think it does that, but I'm fine with whatever text you end up
using for this.
Yes, but if we make text here say that MUST send NO_ADDITIONAL_SAS,
then any implemenation following this document, is not allowed to
fully support CREATE_CHILD_SA.
That is why my suggested text said "that do not implement
CREATE_CHILD_SA" - notice the "that".
We are trying to tell what features of IKEv2 MAY be left out, we do
not specify what MUST be left out.
Yes, but I was trying to address the confusion of what it means if
something is "left out". If support for create_child_sa is left out,
does that mean you need to reply to such a request with that exchange
number, or use an informational exchange type. That is the confusion
I see developers could have. To me it seems even if you do not want
to support CREATE_CHILD_SA, you still need to implement answering a
CREATE_CHILD_SA with an error notify.
What the minimal implemenations look like depends a lot from the
actual usage.
And again, I disagree because this document defines what a minimal
implementation is. You yourself are talking about minimal
implementations that also might support CREATE_CHILD_SA. I guess
in a way you are describing "initiator only ikev2 clients" more than
"minimal". But anyway, as I said. I'm okay with your original text.
For example the other implementation we had did implement NAT-T,
mostly because he wanted to get the ESP packets inside the UDP
encapsulated packets over port 4500, and not mess up with privileged
port 500, and raw sockets. If the text would say NAT-T MUST NOT be
implemented, his implemented would not be following this spec...
I was only trying to say that IF you do not support CREATE_CHILD_SA,
then you MUST still support enough of it to answer with a
CREATE_CHILD_SA stating an error code. That is different from say,
not supporting SESSION_RESUMPTION or Exchange Number 666.
Anyway, for the record. With the changes of me that you applied, I am
fine with the document moving forward. Thanks for your work on this.
Paul