|Main Archive Page > Month Archives > ipsec archives|
Keith Welter writes:
> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be deleted immediately after sending that response containing INVALID_SYNTAX and if I receive INVALID_SYNTAX notification I will immediately silently delete the IKE SA.
INVALID_SYNTAX can only happen in if there bugs in implementations. There is no way it could happen during normal operation, and it is also error which does NOT go way. I.e. if other end has bug that it sends payload whose for example payload length exceeds the packet length, that error will not go away even if we ignore the exchange.
Usually receiving INVALID_SYNTAX means there is something seriously wrong in the either implementation, and there is no point of trying to continue connection with it, as future attemtps to communicate will most likely result in same error (or at least cause peers to get out of sync (for example if delete payload had incorrect length and was ignored, then peers do not agree on which SAs are up after that)).
As this is only error code that can be fixed by the programmers fixing bugs in implementations, there is no point of writing code to cope with such cases. If such code is written it is most likely be completely untested, thus it most likely have even more bugs (in worst case it can have security bugs), thus it is better to take the simple and easy solution instead, and simply delete the IKE SA immediately.
As this cannot ever happen with conforming implementations there is no need for conforming implementations to agree on what they do on this error... If this error is ever seen that means either implementation is not conforming the specification. -- email@example.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec