[Swan-dev] aggressive mode
D. Hugh Redelmeier
hugh at mimosa.com
Mon Dec 22 00:42:30 EET 2014
| From: Paul Wouters <paul at nohats.ca>
| To: D. Hugh Redelmeier <hugh at mimosa.com>
| Cc: Libreswan Development List <swan-dev at lists.libreswan.org>
| Date: Sun, 21 Dec 2014 16:40:41 -0500 (EST)
| Subject: Re: [Swan-dev] aggressive mode
|
| On Sun, 21 Dec 2014, D. Hugh Redelmeier wrote:
|
| > The ipsec.conf(5) manpage says "aggrmode" means "Use Aggressive Mode instead
| > of Main Mode".
| >
| > This does not seem nuanced enough.
| >
| > There seem to be three reasonably policies:
| > 1) forbid aggressive mode
| > 2) accept aggressive mode but don't propose it
| > 3) accept and propose aggressive mode
| > We should support all of these.
|
| I prefer not to support 2) as such asymmetry leads to failures when
| initiator/responder role switch on rekey.
Makes sense. But why are we supporting Aggressive Mode? I think that
it reflects a stupidity on the other side. Is a stupid other side
likely to be symmetrically stupid?
| 1) is the default (aggrmode=no) and 3) is aggrmode=yes. 2) is not
| supported.
OK. I think that the documentation should be clearer on this matter.
| > I assume that if we accept IKEv1, we will accept Main Mode.
|
| or aggressive mode, depending on aggrmode= setting.
Sorry, I wasn't clear. I assume that if we accept IKEv1, we will
always accept Main Mode. This contrasts with Aggressive Mode which is
only accepted if it has been explicitly enabled. Is this correct?
| > It is
| > quite unfortunate the the policy about IKEv1 is represented negatively
| > (POLICY_IKEV1_DISABLE). This does not work with the selection logic
| > for policies. A conn is considered to have suitable policy if it has
| > all the required policy bits on (there is way of requiring absence). So
Typo: it should have read (there is NO way of requiring absence)
| > POLICY_IKEV1_DISABLE must be replaced by its complement.
|
| Note that from a code point of view it does make sense, as IKEv2,
| IKEv1-main and IKEv1-agg are different "Exchange Types".
I don't understand in what way this makes sense.
| > Why does this come up? The test netkey-audit-01 is failing
| > for me.
|
| Odd.
Yeah. It is sometimes hard to understand why tests fail. In this
case, the failure has prompted me to find some problems. But they may
not in fact be why the test failed.
| > When I look at the log, I see something that seems awfully
| > odd:
| >
| > - east receives an initial aggressive mode packet
| >
| > - it decides to use a connection called "ikev2".
| >
| > That sounds misguided. Why would "ikev2" allow for aggressive mode?
|
| It has ikev2=yes, so IKEv1 is allowed. It indeed should have ikev2=insist.
I don't want to fix this yet: not until I work on the problems that
this has uncovered.
| > I haven't looked at that conn -- it might actually allow v1 aggressive
| > mode, but nonetheless there is a problem in the code.
|
| It does not allow aggressive mode, because aggrmode=yes is not set.
Good to know.
| > aggr_inI1_outR1_common looks for a suitable connection and does not
| > express any policy constraints.
|
| Didn't the state machine match on Exchange Type 4 ?
| https://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-17
The state machine is right. After all, we're in
aggr_inI1_outR1_common because of the exchange type.
| > Yet there certainly are constraints:
| > (1) ikev1 must be allowed by the connection,
| > (2) aggressive mode must be allowed by the connection
|
| both codified with matching Exchange Type 4.
I wasn't clear. The policy constraint I'm talking about is for the
search for a suitable connection. The policy constraint is the last
argument to find_host_connection and the current code for
aggr_inI1_outR1_common uses the unreasonable value LEMPTY meaning "no
constraint".
| > (3) the authentication mode (which we already know from the initial
| > packet) must be allowed.
|
| Actually, we also get an ID we can match in the first packet, see
Right. That isn't what I was meaning by "policy". Of course the word
is pretty debased by now so you'd have had to read my mind to know
that.
| > (Oh, and there is another mystery with this test run. The
| > pexpect(c == st->st_connection); /* ??? how would this have changed?
| > */
| > fires, and I cannot see how. I'll figure that one out when my test
| > machine becomes available.)
|
| That might be because of hostpair?
It turns out that ikev1_decode_peer_id does more than its name
suggests. It also changes st->st_connection, at least sometimes.
Bad function name.
And it seems to do so (using refine_host_connection) without benefit
of the policy constraints that find_host_connection has. I hope that
isn't true -- I'll look more carefully.
More information about the Swan-dev
mailing list