[strongSwan] payload order checking

Andreas Steffen andreas.steffen at strongswan.org
Fri Jun 18 22:17:01 CEST 2010 

Hi Richard,

strongSwan 4.1.10 dating from December 20, 2007 is very old!
Our example IKEv2 net-net scenario using strongSwan 4.4.0

http://www.strongswan.org/uml/testresults44/ikev2/net2net-cert/moon.daemon.log

shows the following correct payload order:

IKE_SA_INIT request  0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

strongSwan adheres to the pragmatic policy to be strict in what we
send and to be lenient in what we receive. Actually our flexible parser
doesn't care in what order the payloads arrive. Why should we reject
a packet if we can successfully decode and process it?

Best regards

Andreas

> Hello,
>
> I have a couple of questions about the payload order checking.  One of our tests
> attempts to verify that if the order of the sent payloads is incorrect the
> message is ignored or rejected.
>
> However we are seeing that a response is sent, in the trace We see that the
> payloads are checked for presence but the order does not seem to be considered.
>
> Test sequence is:
>
> 1. The initiator sends the following packet order
>
>   IKE_SA_INIT request (HDR, SAi1, Ni, KEi)
>
> 2. Expect that this message will be dropped and no response send.  However we
> are seeing a response as follows
>
> IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
>
>
> from RFC4306 sec 2.5 I see:
>   Although new payload types may be added in the future and may appear
>     interleaved with the fields defined in this specification,
>     implementations MUST send the payloads defined in this specification
>     in the order shown in the figures in section 2 and implementations
>     SHOULD reject as invalid a message with those payloads in any other
>     order.
>
>
> My questions are on how this is implemented.
>
> 1. Since it is listed as a SHOULD, does the message get processed if all the
> sections are present?
>
> 2. Is this something that has been changed in later versions? - I am using
> version 4.1.10
>
>
> Thank you

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100618/e1ad4c35/attachment.bin>

More information about the Users mailing list