ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Fw: Issue #26: Missing treatment of error ca

Re: [IPsec] Fw: Issue #26: Missing treatment of error cases

From: Tero Kivinen <kivinen_at_nospam>
Date: Mon Sep 07 2009 - 12:58:58 GMT
To: Keith Welter <welterk@us.ibm.com>

Keith Welter writes:
> In this case, the INVALID_SYNTAX could relate to the SA, TSi or TSr
> payload in the
> IKE_AUTH response which would would mean that creation of the CHILD SA
> failed,
> not the IKE SA. I think INVALID_SYNTAX is ambiguous here without an
> explicit delete
> payload for either the IKE SA or the CHILD SA.

For normal errors in the SA payload there is NO_PROPOSAL_CHOSEN error and for TSi and TSr there is TS_UNACCEPTABLE error.

If INVALID_SYNTAX is generated from for example SA payload because the payload lengths inside the SA / Proposal / Transform payload substructure is wrong (or there is other payload type inside SA payload than what is allowed) then that again means the one end is broken and there is no point of continuing creating the IKE SA as most likely all future exchanges will fail in similar way.

It is clear for me that if INVALID_SYNTAX is ever returned to IKE_AUTH exchange, that means the IKE SA was not successfully created (as we do now know whether the other end for example verified the AUTH payload). In that case when IKE SA was not created there is no IKE SA to send delete payload to.

If INVALID_SYNTAX is returned after that as response to INFORMATIONAL or CREATE_CHILD exchange, then it is not clear whether other deleted the SA or not, but as I said earlier that can only happen if there is bugs in implementations, so better to cut the discussion short to limit attack options. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec