[Swan-dev] ikev2: when no host connection matches, always respond with INVALID_SYNTAX
Paul Wouters
paul at nohats.ca
Thu Jun 20 13:53:56 UTC 2019
On Thu, 20 Jun 2019, Andrew Cagney wrote:
>
> I think this is the relevant text:
>
> * 3.10.1. Notify Message Types:
> *
> * INVALID_SYNTAX: Indicates the IKE message that was
> * received was invalid because some type, length, or
> * value was out of range or because the request was
> * rejected for policy reasons. To avoid a DoS attack
> * using forged messages, this status may only be
> * returned for and in an encrypted packet if the
> * Message ID and cryptographic checksum were valid.
>
> NOTE THE MUST HERE:
> * To avoid leaking information to someone probing a
> * node, this status MUST be sent in response to any
> * error not covered by one of the other status types.
> * To aid debugging, more detailed error information
> * should be written to a console or log.
>
> NO_PROPOSAL_CHOSEN is for a very specific error type - where, by
> changing the proposals, there's a fighting chance that the connection
> comes up. Here that isn't true.
I understand that, but it does feel wrong to me. The implied text has
nothing to do with the message we want to convey. I've asked at the
IPsec WG to see what other implementations are doing.
So for now, I'll leave your changes in since they are formally more
correctly following the RFC (but are intuitively more wrong)
Paul
More information about the Swan-dev
mailing list