[strongSwan-dev] INVALID_SPI notify payload

Jean-Francois HREN jean-francois.hren at stormshield.eu
Fri Nov 12 16:24:52 CET 2021


Hello, 

When receiving an informational packet with a notify payload for INVALID_SPI, the initiator SPI of the IKE header can be 0 ( [ https://www.rfc-editor.org/rfc/rfc4718#section-7.7 | https://www.rfc-editor.org/rfc/rfc4718#section-7.7 ] ). However when building without mediation support, this kind of IKE header is rejected. Maybe this check can delayed for later for INFORMATIONAL exchange when the next payload was parsed. 

Any thought about this ? 

Thank you. 

Jean-François HREN 
Developper - Network Security R&D 
[ http://www.stormshield.eu/ ] 
	STORMSHIELD 
2/6 Parc de l'Horizon 
59650 Villeneuve d'Ascq - FRANCE 
Mobile : +33 (0)6 23 08 80 81 
[ https://twitter.com/Stormshield | Twitter ] . [ https://www.linkedin.com/company/22425?trk=cws-btn-overview-0-0 | LinkedIn ] . [ http://www.stormshield.eu/ | www.stormshield.eu ] 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20211112/78fe90af/attachment.html>


More information about the Dev mailing list