[Swan-dev] can the flags parameter to emit_v2N(flags, ...) please be restored

Andrew Cagney andrew.cagney at gmail.com
Fri Dec 21 18:49:47 UTC 2018 

Just because the RFC states that critical shouldn't be set in a reply,
that isn't reason for removing our ability to do it and on a
per-notify basis - after all that is what fuzz testing is all about.

On Fri, 21 Dec 2018 at 11:35, Paul Wouters <paul at vault.libreswan.fi> wrote:
>
> New commits:
> commit ca6287c54c8e87eec5975b46618ca44b9712499d
> Author: Paul Wouters <pwouters at redhat.com>
> Date:   Fri Dec 21 11:33:38 2018 -0500
>
>     Revert "Revert "pluto: emit_v2N's "critical" parameter since it was identical in each call""
>
>     This reverts commit 526a3c46693bdd521fbe4c739a33c4e8f5ce89c8.
>
>     Hugh was actually right, as per RFC 7296:
>
>        IKEv2 adds a "critical" flag to each payload header for further
>        flexibility for forward compatibility.  If the critical flag is set
>        and the payload type is unrecognized, the message MUST be rejected
>        and the response to the IKE request containing that payload MUST
>        include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an
>        unsupported critical payload was included.  In that Notify payload,
>        the Notification Data contains the one-octet payload type.  If the
>        critical flag is not set and the payload type is unsupported, that
>        payload MUST be ignored.  Payloads sent in IKE response messages
>        MUST NOT have the critical flag set.  Note that the critical flag
>        applies only to the payload type, not the contents.  If the payload
>        type is recognized, but the payload contains something that is not
>        (such as an unknown transform inside an SA payload, or an unknown
>        Notify Message Type inside a Notify payload), the critical flag is
>        ignored.
>
>     So I guess this actually means, since we all must understand the Notify
>     type payload, even if we dont understand the content (notify type +
>     payload), so all notify payloads do NOT set the critical flag.
>
> _______________________________________________
> Swan-commit mailing list
> Swan-commit at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-commit

More information about the Swan-dev mailing list