Recently i have started reading the IKEv2 RFC(5996).
I need a clarification on assigning the ip address using ikev2 protocol as
below which i couldn't find in the RFC4718:
Is it valid to assign 0.0.0.0 IP address in the CFG_REPLY paylaod in
IKE_AUTH message to the initiator?
I need this information for the scenario where the initiator can obtain the
IP address by some other means(say DHCP).
But still if the initiator needs a secure channel to communicate with the
gateway first, before sending the DHCP request for obtaining IP address.
Now when the DHCP server provides the IP-address to the initiator,
can the SPD be updated updated at that time(by extracting the ip assigned to
the initator from the DHCP message) rather than
doing the same during the IKE_AUTH response?(as i am thinking of assigning
0.0.0.0 ip during initial IKE_AUTH response in CFG payload)
Because when i looked in to RFC4306 under section 2.19(Requesting an
Internal Address on a Remote Network) , it says,
"Message from responder to initiator:
TSi = (0,
TSr = (0,
* All returned values will be implementation dependent."
There is no mention in RFC something like "assigning 0.0.0.0 should be
handled as ERROR".
So can i safely say assigning 0.0.0.0 ip address is compliant with RFC?
Also section 3.15.4. (Address Assignment Failures) says,
"If the initiator does not receive the IP address(es) required by its
policy, it MAY keep the IKE SA up and retry the Configuration payload
as separate INFORMATIONAL exchange after suitable timeout"
Does it mean that the IPSEC-SA cannot be created unless a valid ip is
It is possible to create IPSEC-SA with the traffic-selector alone, rite? why
do we need to bother about IP allocation?
Assume that there is policy in initiator which says "0.0.0.0 MUST be the
ip-address allocated by NAS", then is it valid
to send the same in CFG_REPLY payload?
Any help is highly appreciated.
Ietf mailing list