ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Fw: Issue #26: Missing treatment of error ca

Re: [IPsec] Fw: Issue #26: Missing treatment of error cases

From: Yoav Nir <ynir_at_nospam>
Date: Fri Sep 04 2009 - 19:09:17 GMT
To: Keith Welter <welterk@us.ibm.com>


Then I should have explained better.

If an initiator sees an error in the response, the exchange is already over, so the only way it can notify the responder of the error, is to create a new INFORMATIONAL exchange with an error notification.

All the text here discusses the one INFORMATIONAL exchange that immediately follows the IKE_AUTH exchange. If that contains an INVALID_SYNTAX, it relates to the response to the IKE_AUTH exchange, and it means that the creation of the IKE SA failed.

In any other place, such as a CCSA or an INFORMATIONAL, or in an INFORMATIONAL that follows one of those exchanges, an INVALID_SYNTAX just means that the previous message was ignored.

On Sep 4, 2009, at 7:26 PM, Keith Welter wrote:

> >>> In an IKE_AUTH
> >>> exchange, or in the subsequent INFORMATIONAL exchnage, only the
> >>> following notifications cause the IKE SA to be deleted or not
> >>> created, without a DELETE payload:
> >>> o UNSUPPORTED_CRITICAL_PAYLOAD
> >>> o INVALID_SYNTAX
> >>> o AUTHENTICATION_FAILED
> >>>
> >>> Extension documents may define new error notifications with these
> >>> semantics, but MUST NOT use them unless the peer is known to
> >>> understand them.
> >>
> >> In subsequent INFORMATIONAL exchanges the UNSUPPORTED_CRITICAL_PAYLOAD
> >> should not be fatal. It only means that the responder ignored the
> >> whole message and replied with UNSUPPORTED_CRITICAL_PAYLOAD. That does
> >> not delete IKE SA.
> >>
> >> For the IKE_AUTH the UNSUPPORTED_CRITICAL_PAYLOAD can delete the IKE
> >> SA as IKE SA is not yet ready.
> >
> >That's what I meant. I will clarify this.
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted either.
Actually, my last statement was overly simplistic. I should have said that there is at least one case when I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted; specifically, when it is included in a CREATE_CHILD_SA exchange. However, I wonder if it is sufficient for an INVALID_SYNTAX in an INFORMATIONAL exchange to cause an IKE SA to be deleted without including a delete payload for the IKE SA. It seems potentially ambiguous what an implementation should do if an INFORMATIONAL message contains only INVALID_SYNTAX whereas the addition of a delete payload for the IKE SA makes the situation clear.

Keith Welter
IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)

Scanned by Check Point Total Security Gateway.



IPsec mailing list
IPsec@ietf.org<mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec



IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec