|Main Archive Page > Month Archives > ipsec archives|
On Sep 7, 2009, at 3:48 PM, Tero Kivinen wrote:
> Keith Welter writes:
>> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
> I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
> deleted immediately after sending that response containing
> INVALID_SYNTAX and if I receive INVALID_SYNTAX notification I will
> immediately silently delete the IKE SA.
> INVALID_SYNTAX can only happen in if there bugs in implementations.
> There is no way it could happen during normal operation, and it is
> also error which does NOT go way. I.e. if other end has bug that it
> sends payload whose for example payload length exceeds the packet
> length, that error will not go away even if we ignore the exchange.
I wish that were true, but here's what the draft says about INVALID_SYNTAX INVALID_SYNTAX 7 Indicates the IKE message that was received was invalid because some type, length, or value was out of range or because the request was rejected for policy reasons. To avoid a denial of service attack using forged messages, this status may only be returned for and in an encrypted packet if the message ID and cryptographic checksum were valid.
This "or because the request was rejected for policy reasons means that even perfectly good implementations might get an INVALID_SYNTAX. I don't know why this is so, but that's the way it is in RFC 4306 as well.