[Swan-dev] can the flags parameter to emit_v2N(flags, ...) please be restored
Andrew Cagney
andrew.cagney at gmail.com
Fri Dec 21 18:49:47 UTC 2018
Just because the RFC states that critical shouldn't be set in a reply,
that isn't reason for removing our ability to do it and on a
per-notify basis - after all that is what fuzz testing is all about.
On Fri, 21 Dec 2018 at 11:35, Paul Wouters <paul at vault.libreswan.fi> wrote:
>
> New commits:
> commit ca6287c54c8e87eec5975b46618ca44b9712499d
> Author: Paul Wouters <pwouters at redhat.com>
> Date: Fri Dec 21 11:33:38 2018 -0500
>
> Revert "Revert "pluto: emit_v2N's "critical" parameter since it was identical in each call""
>
> This reverts commit 526a3c46693bdd521fbe4c739a33c4e8f5ce89c8.
>
> Hugh was actually right, as per RFC 7296:
>
> IKEv2 adds a "critical" flag to each payload header for further
> flexibility for forward compatibility. If the critical flag is set
> and the payload type is unrecognized, the message MUST be rejected
> and the response to the IKE request containing that payload MUST
> include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an
> unsupported critical payload was included. In that Notify payload,
> the Notification Data contains the one-octet payload type. If the
> critical flag is not set and the payload type is unsupported, that
> payload MUST be ignored. Payloads sent in IKE response messages
> MUST NOT have the critical flag set. Note that the critical flag
> applies only to the payload type, not the contents. If the payload
> type is recognized, but the payload contains something that is not
> (such as an unknown transform inside an SA payload, or an unknown
> Notify Message Type inside a Notify payload), the critical flag is
> ignored.
>
> So I guess this actually means, since we all must understand the Notify
> type payload, even if we dont understand the content (notify type +
> payload), so all notify payloads do NOT set the critical flag.
>
> _______________________________________________
> Swan-commit mailing list
> Swan-commit at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-commit
More information about the Swan-dev
mailing list