[strongSwan] incorrect notification data for critical invalid payload type

Andreas Steffen andreas.steffen at strongswan.org
Sun Jul 1 15:13:09 CEST 2012


What do you mean by corrupted? To my unexperienced eyes the log shows
that indeed a one-octet notification payload is sent containing the
received and rejected value 0x2D which is not defined according to IANA.

Andreas

On 07/01/2012 01:39 PM, gowrishankar wrote:
> Hi,
> 
> I am testing IKEv2 implementation for invalid but critical payload type.
> strongswan seems to be sending notification payload of message type
> "UNSUPPORTED_CRITICAL_PAYLOAD" as expected. But, notification data is
> corrupted where as it should be a "one-octet payload type" as per
> Section 2.5 of RFC 5996 (or 4306).
> 
> From charon.log:
> 
> Jun 30 22:45:07 16[ENC] payload type (100) is not supported, but its
> critical!
> Jun 30 22:45:07 16[IKE] critical unknown payloads found
> Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
> Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
> Jun 30 22:45:07 16[ENC] generating CREATE_CHILD_SA response 2 [ N(CRIT) ]
> Jun 30 22:45:07 16[ENC] insert payload NOTIFY to encryption payload
> ...
> ..
> Jun 30 22:45:07 16[ENC] generating payload of type NOTIFY
> ...
> ..
> Jun 30 22:45:07 16[ENC]   generating rule 14 NOTIFICATION_DATA
> Jun 30 22:45:07 16[ENC]    => => 1 bytes @ 0xad7005a8
> Jun 30 22:45:07 16[ENC]    0:
> 2D                                               -
> Jun 30 22:45:07 16[ENC] generating NOTIFY payload finished
> 
> Also, I found this problem might have been fixed in 5.0.0 version (thou-
> gh I have not yet tested), by a rework applied to handle variable
> length of payload data.
> 
> http://wiki.strongswan.org/projects/strongswan/repository/revisions/95a26523afc0d2a997cd1d4f738c287ae045ae4e
> 
> 
> Can someone confirm if this was already reported (if so, strongswan
> bug id?) or I can open a defect to down-stream the patch in 4.6.x ?
> 
> Thanks,
> Gowri Shankar

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list