<div dir="ltr"><p class="MsoNormal" style>Hi,</p><p class="MsoNormal" style><br></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Arial,sans-serif">We have a doubt
regarding behavior of Responder during initial tunnel setup where IKE_AUTH
request’s proposal substructure(in SA Payload) does not contain SPI for
child-sa creation.</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Arial,sans-serif">From RFC 5996
:</span><b><span style="font-size:12pt;font-family:'Courier New';color:black"></span></b></p><p class="MsoNormal" style><a href="http://tools.ietf.org/search/rfc5996#section-3.3.1"><b><span style="font-family:'Courier New';color:black">3.3.1</span></b></a><b><span style="font-size:12pt;font-family:'Courier New';color:black">. Proposal
Substructure</span></b><br></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
1
2
3</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black"> 0 1 2 3 4 5 6
7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black"> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black"> | 0 (last) or 2
| RESERVED
| Proposal
Length |</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black"> | Proposal Num
| Protocol ID | SPI Size |Num
Transforms|</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
~
SPI
(variable)
~</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
|
|</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
~
<Transforms>
~</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
|
|</span></p>
<p class="MsoNormal" style><span style="font-size:12pt;font-family:'Courier New';color:black">
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">If the above header in IKE_AUTH
REQ from the Initiator, contains “</span><span style="font-size:12pt;font-family:'Courier New';color:black">SPI Size” </span><span style="color:rgb(31,73,125)">as zero and SPI is not present, what should be the
behavior of responder.</span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><b><span style="color:rgb(31,73,125)">In our opinion it should
return “INVALID_SYNTAX” in the notify payload of the IKE_AUTH Response with no
other payload present in it</span></b><span style="color:rgb(31,73,125)">. Below is
RFC reference.</span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Again, from the RFC 5996 :</span></p>
<h4 style><a name="section-3.10.1"></a><a href="http://tools.ietf.org/search/rfc5996#section-3.10.1"><span style="font-family:'Courier New';color:black">3.10.1</span></a><span style="font-family:'Courier New';color:black">. Notify Message Types</span></h4>
<pre style><span style="font-size:12pt;color:black"><snip></span></pre><pre style><span style="font-size:12pt;color:black"> INVALID_SYNTAX 7</span></pre><pre style><span style="font-size:12pt;color:black"> Indicates the IKE message that was received was invalid because</span></pre>
<pre style><span style="font-size:12pt;color:black"> some type, length, or value was out of range or because the</span></pre><pre style><span style="font-size:12pt;color:black"> request was rejected for policy reasons.</span></pre>
<pre style><span style="font-size:12pt;color:black"><snip></span></pre>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> Would be appreciable if someone can provide some pointer where we can confirm our understanding..</span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Thanks</span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Mukesh</span></p></div>