[strongSwan-dev] INVALID_SPI notify payload
Tobias Brunner
tobias at strongswan.org
Fri Nov 12 16:47:07 CET 2021
Hi Jean-Francois,
> When receiving an informational packet with a notify payload for
> INVALID_SPI, the initiator SPI of the IKE header can be 0
> (https://www.rfc-editor.org/rfc/rfc4718#section-7.7).
Please refer to RFC 7296 for IKEv2, this clarification has been
incorporated into section 1.5 there.
> However when
> building without mediation support, this kind of IKE header is rejected.
> Maybe this check can delayed for later for INFORMATIONAL exchange when
> the next payload was parsed.
>
> Any thought about this ?
We currently don't support INVALID_SPI notifies at all (or parsing
unprotected INFORMATIONAL requests outside of an IKE_SA for that
matter), so I don't see the need to change anything at the moment.
Regards,
Tobias
More information about the Dev
mailing list