ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Tero Kivinen <kivinen_at_nospam>
Date: Mon Sep 07 2009 - 15:56:47 GMT
To: Yoav Nir <ynir@checkpoint.com>


Yoav Nir writes:
> I wish that were true, but here's what the draft says about
> INVALID_SYNTAX
>
> INVALID_SYNTAX 7
> Indicates the IKE message that was received was invalid because
> some type, length, or value was out of range or because the
> request was rejected for policy reasons. To avoid a denial of
> service attack using forged messages, this status may only be
> returned for and in an encrypted packet if the message ID and
> cryptographic checksum were valid.
>
> This "or because the request was rejected for policy reasons means
> that even perfectly good implementations might get an INVALID_SYNTAX.
> I don't know why this is so, but that's the way it is in RFC 4306 as
> well.

I do not think it should be sent because of policy reasons, as we do have specific errors (authentication failed, no proposal chosen and ts unacceptable etc).

I have not seen anybody sending this because of policy reasons, only case where I have seen this was in interops when someone send some broken packets to other end.

I think we should remove the "for policy reasons" part and specify that this is only used in protocol error situations. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec