[strongSwan] Behavior of responder if "Four Bytes SPI is not present in IKE_AUTH req's proposal Substructure"
Mukesh Yadav
write2mukesh84 at gmail.com
Mon Jan 6 09:43:02 CET 2014
Hi,
We have a doubt regarding behavior of Responder during initial tunnel setup
where IKE_AUTH request’s proposal substructure(in SA Payload) does not
contain SPI for child-sa creation.
>From RFC 5996 :
*3.3.1* <http://tools.ietf.org/search/rfc5996#section-3.3.1>*. Proposal
Substructure*
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 (last) or 2 | RESERVED | Proposal Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Proposal Num | Protocol ID | SPI Size |Num Transforms|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ <Transforms> ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the above header in IKE_AUTH REQ from the Initiator, contains “SPI
Size” as zero and SPI is not present, what should be the behavior of
responder.
*In our opinion it should return “INVALID_SYNTAX” in the notify payload of
the IKE_AUTH Response with no other payload present in it*. Below is RFC
reference.
Again, from the RFC 5996 :
3.10.1 <http://tools.ietf.org/search/rfc5996#section-3.10.1>. Notify
Message Types
<snip>
INVALID_SYNTAX 7
Indicates the IKE message that was received was invalid because
some type, length, or value was out of range or because the
request was rejected for policy reasons.
<snip>
Would be appreciable if someone can provide some pointer where we can
confirm our understanding..
Thanks
Mukesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140106/aabae510/attachment.html>
More information about the Users
mailing list