ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Issue #26: Missing treatment of error cases

Re: [IPsec] Issue #26: Missing treatment of error cases

From: Paul Hoffman <paul.hoffman_at_nospam>
Date: Sat Sep 19 2009 - 22:37:33 GMT
To: Tero Kivinen <kivinen@iki.fi>, Yoav Nir <ynir@checkpoint.com>

Here is the edited text. Please make sure it still is correct.

<section anchor='sect-2.21' title='Error Handling'>

<t>There are many kinds of errors that can occur during IKE
processing. The general rule is that if a request is received that is badly formatted, or unacceptable for reasons of policy (such as no matching cryptographic algorithms), the response contains a Notify payload indicating the error. The decision whether or not to send such a response depends whether or not there is an authenticated IKE SA.</t>

<t>If there is an error parsing or processing a response packet, the
general rule is to not send bac any error message because responses should not generate new requests (and a new request would be the only way to send back an error message). Such errors in parsing or processing response packets should still cause the recipient to clean up the IKE state (for example, by sending a DELETE for a bad SA).</t>

<t>Only authentication failures (AUTHENTICATION_FAILED) and malformed
messages (INVALID_SYNTAX) lead to a deletion of the IKE SA without requiring an explicit INFORMATIONAL exchange carrying a DELETE payload. Other error conditions MAY require such an exchange if policy dictates that this is needed.</t>

<section anchor='sect-2.21.1' title='Error Handling in IKE_SA_INIT'>

<t>Errors that occur before a cryptographically protected IKE SA is
established need to be handled very carefully. There is a trade-off between wanting to help the peer to diagnose a problem and thust responding to the error, and wanting to avoid being part a denial of service attack based on forged messages.</t>

<t>In an IKE_SA_INIT exchange, any error notification causes the
exchange to fail. Note that some error notifications such as COOKIE, INVALID_KE_PAYLOAD or INVALID_MAJOR_VERSION may lead to a subsequent successful exchange. Because all error notifications are completely unauthenticated, the recipient should continue trying for some time before giving up but not immediately act based on the error notification unless corrective actions are defined in this specification, such as for COOKIE, INVALID_KE_PAYLOAD, and INVALID_MAJOR_VERSION.</t>


<section anchor='sect-2.21.2' title='Error Handling in IKE_AUTH'>

<t>All errors that occur in an IKE_AUTH exchange, causing the
authentication to fail for whatever reason (invalid shared secret, invalid ID, untrusted certificate issuer, revoked or expired certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED notification. If the error occurred on the responder, the notification is returned in the protected response, and is usually the only payload in that response. Although the IKE_AUTH messages are encrypted and integrity protected, if the peer receiving this notification has not authenticated the other end yet, that peer needs to treat the information with caution.</t>

<t>If the error occurs on the initiator, the notification MAY be
returned in a separate INFORMATIONAL exchange, usually with no other payloads. This is exception for the general rule of not starting new exchanges based on errors in responses.</t>

<t>Note, however, that request messages that contain an unsupported
critical payload, or where the whole message is malformed (rather than just bad payload contents), MUST be rejected in their entirety, and MUST only lead to an UNSUPPORTED_CRITICAL_PAYLOAD or INVALID_SYNTAX Notification sent as response. The receiver should not verify the payloads related to authentication in this case.</t>

<t>If authentication has succeeded in the IKE_AUTH exchange, the IKE
SA is established; however, establishing the Child SA or requesting configuration information may still fail. This failure does not automatically cause the IKE SA to be deleted. Specifically, a responder may include all the payloads associated with authentication (IDr, Cert and AUTH) while sending error notifications for the piggybacked exchanges (FAILED_CP_REQUIRED, INVALID_SELECTORS, NO_PROPOSAL_CHOSEN, and so on), and the initiator MUST NOT fail the authentication because of this. The initiator MAY, of course, for reasons of policy later delete such an IKE SA.</t>

<t>In an IKE_AUTH exchange, or in the INFORMATIONAL exchange
immediately following it (in case an error happened in when processing response to IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD, INVALID_SYNTAX, and AUTHENTICATION_FAILED notifications are the only ones to cause the IKE SA to be deleted or not created, without a DELETE payload. Extension documents may define new error notifications with these semantics, but MUST NOT use them unless the peer has been shown to understand them.</t>

<t>NOTE FOR WG DISCUSSION: Having other payloads in the message is
allowed but there are none suggested. One WG member mentioned the possibility of adding a DELETE payload when the error is sent in a separate INFORMATIONAL exchange. Do we want to allow such additional payloads that have operational semantics?</t>


<section anchor='sect-2.21.3' title='Error Handling after IKE SA is Authenticated'>

<t>After the IKE SA is authenticated all requests having errors MUST
result in response notifying about the error.</t>

<t>In normal situations, there should not be cases where valid
response from one peer results in an error situation in the other peer, so there should not be any reason for a peer to send error messages to the other end except as a response. Because sending such error messages as INFORMATIONAL exchange might lead to further errors that could cause loops, such errors SHOULD NOT be sent. If errors are seen that indicate that the peers do not have same state, it might be good to delete the IKE SA to clean up state and start over.</t>

<t>If a peer parsing a request notices that it is badly formatted
(after it has passed the message authentication code checks and window checks) and it returns an INVALID_SYNTAX notification, then this error notification is considered fatal in both peers, meaning that the IKE SA is deleted without needing an explicit DELETE payload.</t>


<section anchor='sect-2.21.4' title='Error Handling Outside IKE SA'>

<t>A node needs to limit the rate at which it will send messages in
response to unprotected messages.</t>

<t>If a node receives a message on UDP port 500 or 4500 outside the
context of an IKE SA known to it (and the message is not a request to start an IKE SA), this may be the result of a recent crash of the node. If the message is marked as a response, the node can audit the suspicious event but MUST NOT respond. If the message is marked as a request, the node can audit the suspicious event and MAY send a response. If a response is sent, the response MUST be sent to the IP address and port from where it came with the same IKE SPIs and the Message ID copied. The response MUST NOT be cryptographically protected and MUST contain an INVALID_IKE_SPI Notify payload. The INVALID_IKE_SPI notification indicates an IKE message was received with an unrecognized destination SPI; this usually indicates that the recipient has rebooted and forgotten the existence of an IKE SA.</t>

<t>A peer receiving such an unprotected Notify payload MUST NOT
respond and MUST NOT change the state of any existing SAs. The message might be a forgery or might be a response that a genuine correspondent was tricked into sending. A node should treat such a message (and also a network message like ICMP destination unreachable) as a hint that there might be problems with SAs to that IP address and should initiate a liveness check for any such IKE SA. An implementation SHOULD limit the frequency of such tests to avoid being tricked into participating in a denial of service attack.</t>

<t>If an error occurs outside the context of an IKE request (e.g.,
the node is getting ESP messages on a nonexistent SPI), the node SHOULD initiate an INFORMATIONAL exchange with a Notify payload describing the problem.</t>

<t>A node receiving a suspicious message from an IP address (and
port, if NAT traversal is used) with which it has an IKE SA SHOULD send an IKE Notify payload in an IKE INFORMATIONAL exchange over that SA. The recipient MUST NOT change the state of any SAs as a result, but may wish to audit the event to aid in diagnosing malfunctions.</t>



--Paul Hoffman, Director
--VPN Consortium

IPsec mailing list