Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

[Toerless Eckert <tte@cs.fau.de>]

On Wed, Jun 17, 2020 at 08:55:12PM -0400, Paul Wouters wrote:
> The RFC states:
> 
>    The USE_TRANSPORT_MODE notification MAY be included in a request
>    message that also includes an SA payload requesting a Child SA.  It
>    requests that the Child SA use transport mode rather than tunnel mode
>    for the SA created.  If the request is accepted, the response MUST
>    also include a notification of type USE_TRANSPORT_MODE.  If the
>    responder declines the request, the Child SA will be established in
>    tunnel mode.  If this is unacceptable to the initiator, the initiator
>    MUST delete the SA.
> 
> 
> But note that the responder has already installed the IPsec SA in tunnel
> mode. So if the initiator finds that unacceptable, it must send the
> delete. During all this time, connectivity between the nodes will be
> blocked. The intention here is that transport mode is optional and
> should not be mandated by other protocols. Otherwise, the IKEv1
> style negoation of transport OR tunnel mode would have been kept.

How about my mails ask that i read this text such that the initiator will
delete the SA (not only client SA) if transport mode is not supported
be responder. Aka: the last two sentences to me describe exactly the
case where the initiator can/want only support transport mode.

Aka: i can not read your interpretation into this text.

Please answer the other questions from my reply mail.

> So I would recommend to follow the intention of RFC 7296 and not make
> up your own restrictions.

Again, i had a lot of arguments in my email that i need to see answers
to so that we can make progress here.

Cheers
    Toerless