Re: [IPsec] Issue #26: Missing treatment of error cases

Yoav Nir writes:
> I wish that were true, but here's what the draft says about
> INVALID_SYNTAX
>
> INVALID_SYNTAX 7
> Indicates the IKE message that was received was invalid because
> some type, length, or value was out of range or because the
> request was rejected for policy reasons. To avoid a denial of
> service attack using forged messages, this status may only be
> returned for and in an encrypted packet if the message ID and
> cryptographic checksum were valid.
>
> This "or because the request was rejected for policy reasons means
> that even perfectly good implementations might get an INVALID_SYNTAX.
> I don't know why this is so, but that's the way it is in RFC 4306 as
> well.

I do not think it should be sent because of policy reasons, as we do have specific errors (authentication failed, no proposal chosen and ts unacceptable etc).

I have not seen anybody sending this because of policy reasons, only case where I have seen this was in interops when someone send some broken packets to other end.

I think we should remove the "for policy reasons" part and specify that this is only used in protocol error situations. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

• This message: [ Message body ]
• Next message: Tero Kivinen: "Re: [IPsec] Issue #26: Missing treatment of error cases"
• Previous message: Yoav Nir: "Re: [IPsec] Issue #26: Missing treatment of error cases"
• In reply to: Yoav Nir: "Re: [IPsec] Issue #26: Missing treatment of error cases"
• Next in thread: Yoav Nir: "Re: [IPsec] Issue #26: Missing treatment of error cases"
• Reply: Yoav Nir: "Re: [IPsec] Issue #26: Missing treatment of error cases"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]