|Main Archive Page > Month Archives > ipsec archives|
Yoav Nir writes:
> I wish that were true, but here's what the draft says about
> INVALID_SYNTAX 7
> Indicates the IKE message that was received was invalid because
> some type, length, or value was out of range or because the
> request was rejected for policy reasons. To avoid a denial of
> service attack using forged messages, this status may only be
> returned for and in an encrypted packet if the message ID and
> cryptographic checksum were valid.
> This "or because the request was rejected for policy reasons means
> that even perfectly good implementations might get an INVALID_SYNTAX.
> I don't know why this is so, but that's the way it is in RFC 4306 as
I do not think it should be sent because of policy reasons, as we do have specific errors (authentication failed, no proposal chosen and ts unacceptable etc).
I have not seen anybody sending this because of policy reasons, only case where I have seen this was in interops when someone send some broken packets to other end.
I think we should remove the "for policy reasons" part and specify that this is only used in protocol error situations. -- firstname.lastname@example.org _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec