ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Tero Kivinen <kivinen_at_nospam>
Date: Mon Sep 07 2009 - 16:13:13 GMT
To: Yoav Nir <ynir@checkpoint.com>


Yoav Nir writes:
> > I think MAY is better than SHOULD there, or even forbidding this
> > completely.
> >
> > As said before I do not know any implementation which does this now,
> > and there is also problem that there is no way to correlate the
> > INFORMATIONAL exchange to the exchange which caused this problem. I.e.
> > if you have window size 5, and you have 3 CREATE_CHILD_SA exchanges
> > going, and then you get response to second of them that is invalid and
> > you send INFORMATIONAL exchange out saying there was something wrong
> > with the response, then there is no way for the other end to know to
> > which of those exchanges that INFORMATIONAL related.
> >
>
> Agreed. How about SHOULD, but adding "if the error occurred in the
> response to an IKE_AUTH exchange, and in payloads related to
> authentication. A new exchange SHOULD NOT be triggered for reporting
> errors in child SAs, CFG, or notifications."

If that error occurred during IKE_AUTH because of authentication failure or INVALID_SYNTAX or similar then there is no way to start new INFORMATIONAL exchange as for the initiators part the IKE SA wasn't finished, thus he DOES NOT have IKE SA to start INFORMATIONAL on.

So only place where IKE_AUTH could fail so that you have IKE SA but you would want to send notification back is that there was something wrong with the configuration payload or Child SA processing. If there is something wrong with Child SA processing, then correct way is not to install the SA, and send delete for the Child SA. If there was something wrong with the configuration payload processing, then depending on the situation you might want to delete the IKE SA (if you didn't get the IP-address at all or similar) or just ignore the error.

I really DO NOT like the idea of triggering new exchanges based on the failures when parsing the response. In general IKEv2 has been written so there cannot really be errors on the responder (i.e. traffic selectors are narrowed based on the initiators proposal, so responder cannot select something that is not allowed by initiator, and same is for SAs proposals etc).

Can you give me example where this would be used? I.e. situation where IKE_AUTH response packet caused error which needs to be communicated to the other end and which is not related to IKE SA authentication.

> I think that any of these would be fatal to the particular exchange,
> but will not cause a silent discard of the IKE SA. You might have a
> policy that tells you to delete any IKE SA where you got or sent an
> INVALID_SYNTAX, but because it can also be a policy matter, we
> shouldn't really mandate it.

Our implementation will silently delete IKE SA (i.e do not send DELETE notification as if state is so messed up that you get INVALID_SYNTAX errors, then DELETE notification will mostly generate same response) when it receives INVALID_SYNTAX or after it has sent out INVALID_SYNTAX as it assumes there is something badly wrong with either implementation and there is no point of continuing at that situation. I do not have any plans of changing that, and I think other implementations do something similar (i.e if you start sending them properly encrypted and authenticated random garbage they will tear down the IKE SA). -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec