[Swan-dev] ikev2: when no host connection matches, always respond with INVALID_SYNTAX

Paul Wouters paul at nohats.ca
Wed Jun 19 19:38:57 UTC 2019

This commit seems to introduce an error.

It changes ikev2_parent_inI1outR1() to return INVALID_SYNTAX in IKE_INIT
and even quotes the RFC part where it says:

+                * rejected for policy reasons.  To avoid a DoS attack
+                * using forged messages, this status may only be
+                * returned for and in an encrypted packet if the
+                * Message ID and cryptographic checksum were valid.

The IKE_INIT reply is not an encrypted packet. I think
NO_PROPOSAL_CHOSEN is the right error notify.

checking the notify section, for INVALID_SYNTAX we see:

        Indicates the IKE message that was received was invalid because
        some type, length, or value was out of range or because the
        request was rejected for policy reasons.

I think combining the first parts and the last item within a single
message is probably a mistake in the RFC, or at least "rejected for
policy reason" was meant to reflect the type/length/values and not
"any and all policy reason".

For NO_PROPOSAL_CHOSEN though, it really seems focused on the IKE or
IPsec proposal parts. So it is also not the best match.

However, it seems "connection not found" matches more closely with
NO_PROPOSAL_CHOSEN (what you asked could be valid, but we didnt match
it) than INVALID_SYNTAX (we dont understand what you are asking for).
The other error notifies we can use make even less sense.

The code in question is only called in IKE_INIT reply, so my suggestion
is to return NO_PROPOSAL_CHOSEN.


---------- Forwarded message ----------
Date: Mon, 17 Jun 2019 17:16:47
From: Andrew Cagney <cagney at vault.libreswan.fi>
To: swan-commit at lists.libreswan.org
Subject: [Swan-commit] Changes to ref refs/heads/master

New commits:
commit e85d4bbb8f22cbafb6778b609a1663f3d1d86820
Author: Andrew Cagney <cagney at gnu.org>
Date:   Mon Jun 17 17:06:36 2019 -0400

     ikev2: when no host connection matches, always respond with INVALID_SYNTAX

     Where INVALID_SYNTAX is IKEv2 speak for any error not otherwise defined.
     Was, depending on the connection list order, sometimes responding with

Swan-commit mailing list
Swan-commit at lists.libreswan.org

More information about the Swan-dev mailing list