[strongSwan] Unrecognized payload types and critical bit is not set, parsing CREATE_CHILD_SA response fails
kumuda
kumuda at linux.vnet.ibm.com
Wed Sep 24 08:28:10 CEST 2014
Hi,
Can you please address below reported problems?
Regards,
Kumuda G
On 09/17/2014 03:34 PM, kumuda wrote:
> One more issue related to "Unrecognized payload types and critical bit
> is not set" is
> found when the device is configured as responder.
>
> CREATE_CHILD_SA request including a payload with invalid payload type
> is sent to responder.
> The E payload's IKE Header Next Payload field is set to 1 and the
> invalid payload's critical
> flag is not set. The request includes a Notify Payload of type
> REKEY_SA and rekeyed CHILD_SA's
> SPI value in the SPI field to the responder.
>
> Processing create_child_sa request fails and invalid_syntax notify
> message is sent.
> Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> could not decrypt payloads
> Sep 16 08:49:43 15[IKE] <tahi_ikev2_test|1> message parsing failed
> Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> added payload of type
> NOTIFY to message
> Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> added payload of type
> NOTIFY to message
> Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> generating CREATE_CHILD_SA
> response 2 [ N(INVAL_SYN) ]
>
> Responder was expected to transmit a CREATE_CHILD_SA response 2 [
> N(USE_TRANSP) SA No TSi TSr ]
>
> Regards,
> Kumuda G
>
> On 09/17/2014 03:06 PM, kumuda wrote:
>> Hi,
>>
>> Test is to verify if IKEv2 device(configured as initiator) ignores
>> invalid payload types when the invalid type payload's
>> critical bit is not set.
>>
>> Initial message exchange of IKE_SA_INIT and IKE_AUTH are successful.
>> Waiting until lifetime of SA is expired and then
>> CREATE_CHILD_SA request is sent from Initiator. Responder sends
>> CREATE_CHILD_SA response with Unrecognized payload
>> types(E payload's IKE Header Next Payload field is set to 1) and
>> Critical bit is not set.
>>
>> IP Header
>> | | Version = 6
>> | | Source Address = 2001:db8:f:1::1
>> | | Destination Address = 2001:db8:1:1::1
>> | UDP Header
>> | | Source Port = 500
>> | | Destination Port = 500
>> | Internet Security Association and Key Management Protocol Payload
>> | | IKE Header
>> | | | IKE_SA Initiator's SPI = 1a3f1895496c736a
>> | | | IKE_SA Responder's SPI = dd83a7c8dc00d857
>> | | | Next Payload = 46 (E)
>> | | | Major Version = 2
>> | | | Minor Version = 0
>> | | | Exchange Type = 36 (CREATE_CHILD_SA)
>> | | | Flags = 32 (0b00100000)
>> | | | | Reserved (XX000000) = 0
>> | | | | Response (00R00000) = 1
>> | | | | Version (000V0000) = 0
>> | | | | Initiator (0000I000) = 0
>> | | | | Reserved (00000XXX) = 0
>> | | | Message ID = 2 (0x2)
>> | | | Length = 444 (0x1bc)
>> | | | E Payload
>> | | | | Next Payload = 1 (1)
>> | | | | Critical = 0
>> | | | | Reserved = 0
>> | | | | Payload Length = 416 (0x1a0)
>> | | | | Initialization Vector = a4ba9622a9657136
>> | | | | Encrypted IKE Payloads
>> | | | | | UNDEFINED Payload (type(1))
>> | | | | | | Next Payload = 41 (N)
>> | | | | | | Critical = 0
>> | | | | | | Reserved = 0
>> | | | | | | Payload Length = 4 (0x4)
>> | | | | | N Payload
>> | | | | | | Next Payload = 33 (SA)
>> | | | | | | Critical = 0
>> | | | | | | Reserved = 0
>> | | | | | | Payload Length = 8 (0x8)
>> | | | | | | Protocol ID = 0 (no relation)
>> | | | | | | SPI Size = 0
>> | | | | | | Notify Message Type = 16391 (USE_TRANSPORT_MODE)
>>
>>
>> Parsing the response fails at the initiator side..
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 0 U_INT_8
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 41
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 1
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 2
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 3
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 4
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 5
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 6
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 7
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 8
>> RESERVED_BIT
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 9
>> PAYLOAD_LENGTH
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 4
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 10 U_INT_32
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 553648136
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 11 U_INT_32
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 16391
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 12 (1258)
>> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> could not decrypt payloads
>> Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> message parsing failed
>> Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> CREATE_CHILD_SA response
>> with message ID 2 processing failed
>>
>> Since the response parsing failed, session using the second
>> negotiated algorithms are not established and tests fail.
>>
>>
>> Regards,
>> Kumuda G
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
More information about the Users
mailing list