[Swan-dev] TS_UNACCEPTABLE should not cause retransmit timeout and IKE+other children deletion
Andrew Cagney
andrew.cagney at gmail.com
Mon Jul 5 19:03:40 UTC 2021
Was the test run with?
ikev2: only return STF_{OK,FAIL,FATAL} from CREATE_CHILD_SA processor
Not STF_FAIL+v2N. Fixes a sec_label core dump when the initiator gets
rejected.
Internally use v2_notification_t, mapping that onto the above (the
code will eventually need to send the notification to the responder as
part of a separate informational exchange. See 2.21. Error Handling).
the symptoms below look similar.
On Sun, 4 Jul 2021 at 22:13, Paul Wouters <paul at nohats.ca> wrote:
>
> I added two new testcases:
>
> ikev2-rw-multiple-subnets-4-mismatch (mismatch in CREATE_CHILD_SA_
> ikev2-rw-multiple-subnets-5-mismatch-frst (mismatch in IKE_AUTH)
>
> I ran the 4-mismatch test with mismatched subnets. That is the initiator
> has
> more subnets then responder. The first subnet matches, so IKE_AUTH
> completes. Then CREATE_CHILD_SA's are used for the further pending
> subnets.
>
With "pluto: When Child state fails, don't tear down IKE SA" reverted I see:
+003 "road/0x2" #3: dropping unexpected CREATE_CHILD_SA message containing
TS_UNACCEPTABLE notification; message payloads: SK; encrypted payloads: N;
missing payloads: SA,Ni,TSi,TSr
+036 "road/0x2" #3: encountered fatal error in state STATE_V2_NEW_CHILD_I1
which is a missing state transition. Likely fallout from the above.
> I observe:
>
> "road/0x4" #1: initiating IKEv2 connection
> "road/0x3": queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #1
> "road/0x4"
> "road/0x2": queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #1
> "road/0x4"
> "road/0x1": queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #1
> "road/0x4"
> "road/0x4" #1: sent IKE_SA_INIT request
> "road/0x4" #1: switching CHILD #2 to pending connection "road/0x1"
> "road/0x4" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256
> integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> "road/0x4" #1: authenticated using RSA with SHA2_512 and peer certificate
> 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=
> east.testing.libreswan.org, E=user-east at testing.libreswan.org' issued by
> CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department,
> CN=Libreswan test CA for mainca, E=testing at libreswan.org'
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 4
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 8
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 16
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 32
> seconds for response
> "road/0x4" #1: STATE_V2_ESTABLISHED_IKE_SA: 60 second timeout exceeded
> after 7 retransmits. No response (or no acceptable response) to our IKEv2
> message
> "road/0x4" #1: liveness action - putting connection into hold
> "road/0x4" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 64.10909s
> and sending notification
> "road/0x4" #1: deleting IKE SA but connection is supposed to remain up;
> schedule EVENT_REVIVE_CONNS
>
>
And for this I see:
+003 "road/0x1" #2: IKE_AUTH response contained the error notification
TS_UNACCEPTABLE
+002 "road/0x4" #1: deleting other state #2 connection
(STATE_V2_IKE_AUTH_CHILD_I0) "road/0x1" and NOT sending notification
which is from this code:
v2_notification_t n = process_v2_IKE_AUTH_response_child_sa_payloads(ike,
md);
if (v2_notification_fatal(n)) {
/* already logged */
/*
* XXX: should be sending the fatal notification using
* a new exchange.
*/
return STF_FATAL;
} else if (n != v2N_NOTHING_WRONG) {
/* already logged */
/*
* XXX: should be sending the child failure
* notification using an additional exchange and then
* leaving the IKE SA up.
*
* Instead just wipe out the IKE family :-(
*/
return STF_V2_DELETE_EXCHANGE_INITIATOR_IKE_SA;
}
Like the comments point out, this is a hack. The fix means queueing up a
new exchange to send a delete notify with the SPI received from the
responder?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210705/25f8f00d/attachment.html>
More information about the Swan-dev
mailing list