[Swan-dev] Do IKEv2 traffic selectors come in pairs?

Andrew Cagney andrew.cagney at gmail.com
Fri Nov 2 02:18:43 UTC 2018 

On Thu, 1 Nov 2018 at 17:36, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> Reading https://tools.ietf.org/html/rfc7296#section-2.9 I get the
> feeling that the traffic selectors in the TSi/TSr payloads are always
> paired - TSi[n] goes with TSr[n].  The examples, for instance, do
> this.  And without matching pairs things struggle to make sense.
> However, I couldn't find text clearly spelling this out.  Perhaps I'm
> missing something.
>
> This would mean code should check elemsof(TSi) == elemsof(TSr).

I still think this is true, strongswan disagrees.  In
interop-ikev2-strongswan-39-mobike-responder pluto sends a single pair
of traffic selectors:

| ****emit IKEv2 Traffic Selector - Initiator - Payload:
|    number of TS: 1 (0x1)
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| ipv4 start  00 00 00 00
| ipv4 end  ff ff ff ff

| ****emit IKEv2 Traffic Selector - Responder - Payload:
|    number of TS: 1 (0x1)
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| ipv4 start  c0 00 02 00
| ipv4 end  c0 00 02 ff

but strongswan comes back with:

 proposing traffic selectors for us:
  192.0.2.0/24
 proposing traffic selectors for other:
  192.0.3.1/32
  192.0.3.2/32

as in:

| **parse IKEv2 Traffic Selector - Initiator - Payload:
|    number of TS: 2 (0x2)
| TS: parse initiator traffic selectors
| ***parse IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    length: 16 (0x10)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| ipv4 ts low  c0 00 03 01
| ipv4 ts high  c0 00 03 01
| ***parse IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    length: 16 (0x10)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| ipv4 ts low  c0 00 03 02
| ipv4 ts high  c0 00 03 02
| TS: parsed 2 TS payloads

| **parse IKEv2 Traffic Selector - Responder - Payload:
|    number of TS: 1 (0x1)
| TS: parse responder traffic selectors
| ***parse IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    length: 16 (0x10)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| ipv4 ts low  c0 00 02 00
| ipv4 ts high  c0 00 02 ff
| TS: parsed 1 TS payloads

which with "ikev2 ts: group paired traffic selectors in a single
structure" gets rejected.

(and this cascades eventually cause a core dump because the initiator
has an authenticated parent with no child).

More information about the Swan-dev mailing list