[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Dec 21 16:35:46 UTC 2018
New commits:
commit ca6287c54c8e87eec5975b46618ca44b9712499d
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Dec 21 11:33:38 2018 -0500
Revert "Revert "pluto: emit_v2N's "critical" parameter since it was identical in each call""
This reverts commit 526a3c46693bdd521fbe4c739a33c4e8f5ce89c8.
Hugh was actually right, as per RFC 7296:
IKEv2 adds a "critical" flag to each payload header for further
flexibility for forward compatibility. If the critical flag is set
and the payload type is unrecognized, the message MUST be rejected
and the response to the IKE request containing that payload MUST
include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an
unsupported critical payload was included. In that Notify payload,
the Notification Data contains the one-octet payload type. If the
critical flag is not set and the payload type is unsupported, that
payload MUST be ignored. Payloads sent in IKE response messages
MUST NOT have the critical flag set. Note that the critical flag
applies only to the payload type, not the contents. If the payload
type is recognized, but the payload contains something that is not
(such as an unknown transform inside an SA payload, or an unknown
Notify Message Type inside a Notify payload), the critical flag is
ignored.
So I guess this actually means, since we all must understand the Notify
type payload, even if we dont understand the content (notify type +
payload), so all notify payloads do NOT set the critical flag.
More information about the Swan-commit
mailing list