[strongSwan] Four Bytes SPI is not present in IKE_AUTH req's proposal Substructure
Navneet Priya (navpriya)
navpriya at cisco.com
Mon Jan 6 07:54:22 CET 2014
Hi,
Please suggest if our understanding is correct for the below scenario.
We had doubt regarding behavior of Responder during initial tunnel setup where IKE_AUTH request's proposal substructure(in SA Payload) does not contain SPI for child-sa creation.
>From RFC 5996 :
3.3.1<http://tools.ietf.org/search/rfc5996#section-3.3.1>. Proposal Substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 (last) or 2 | RESERVED | Proposal Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Proposal Num | Protocol ID | SPI Size |Num Transforms|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ <Transforms> ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the above header in IKE_AUTH REQ from the Initiator, contains "SPI Size" as zero and SPI is not present, what should be the behavior of responder.
In our opinion it should return "INVALID_SYNTAX" in the notify payload of the IKE_AUTH Response with no other payload present in it. Below is RFC reference.
Again, from the RFC 5996 :
3.10.1<http://tools.ietf.org/search/rfc5996#section-3.10.1>. Notify Message Types
<snip>
INVALID_SYNTAX 7
Indicates the IKE message that was received was invalid because
some type, length, or value was out of range or because the
request was rejected for policy reasons.
<snip>
Thanks
Navneet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140106/e7f97eb6/attachment.html>
More information about the Users
mailing list