[Swan-dev] Fwd: [IPsec] IKEv2: how to respond to REKEY_SA with bad protoid?

Paul Wouters paul at nohats.ca
Fri Jun 16 04:32:39 EEST 2023 


Sent using a virtual keyboard on a phone

Begin forwarded message:

> From: Tero Kivinen <kivinen at iki.fi>
> Date: June 15, 2023 at 17:50:36 EDT
> To: Paul Wouters <paul at nohats.ca>
> Cc: "ipsec at ietf.org WG" <ipsec at ietf.org>
> Subject: [IPsec] IKEv2: how to respond to REKEY_SA with bad protoid?
> 
> Paul Wouters writes:
>> 
>> We ran into an issue where we received a REKEY_SA notify with a bad
>> protocol id, eg not ESP or AH. What do we do?
>> 
>> 1) CHILD_SA_NOT_FOUND, but what should we put in the proto id field?
>> 0 ?  the bogus value? 
>> 2) It's bad, so INVALID_SYNTAX
>> 
>> When doing 1, we will see:
>> 
>> Responder uses bad protocol id - Initiator can quietly delete child sa.
>> But it forces us to send something violating the RFC.
>> 
>> Or Responder uses ESP or AH protocol id? Initiator will now be upset,
>> and possible send a new informational with a notify with INVALID_SYNTAX
>> or DELETE. If INVALID_SYNTAX, it will take down everything.
>> 
>> When doing 2, it guarantees everything will be taken down.
>> 
>> 
>> Ideally, we would like to "ignore" the REKEY_SA, and leave the IKE and
>> existing Child SAs up. But that means we need to lie about protocol id,
>> and we currently have guards in our code to protect against that.
> 
> If you use invalid syntax and tear down the SA, then at least the
> other end will know that they are doing something wrong and hopefully
> they will fix their code at some point.
> 
> But I think correct option is to use exactly same protocol id than
> what the initiator used, as that is what SA they are trying to use.
> 
> The Child SA is identified by the protocol id and spi tupple, so if
> you do not have matching child sa, returning CHILD_SA_NOT_FOUND is the
> correct, and as in the section 2.25 the RFC7296 says:
> 
>   A CHILD_SA_NOT_FOUND notification SHOULD be sent when a peer receives
>   a request to rekey a Child SA that does not exist.  The SA that the
>   initiator attempted to rekey is indicated by the SPI field in the
>   Notify payload, which is copied from the SPI field in the REKEY_SA
>   notification.  A peer that receives a CHILD_SA_NOT_FOUND notification
>   SHOULD silently delete the Child SA (if it still exists) and send a
>   request to create a new Child SA from scratch (if the Child SA does
>   not yet exist).
> 
> If the protocol id does not match the protocol id you are using, then
> you do NOT HAVE matching Child SA, thus the other end is trying to
> rekey sa that does not exists. 
> 
> I.e. the SPI field is copied from the REKEY_SA to CHILD_SA_NOT_FOUND
> notify, then you needs to copy the protocol id too...
> 
> Also the section 3.10 of RFC7296 says:
> 
>   o  Protocol ID (1 octet) - If this notification concerns an existing
>      SA whose SPI is given in the SPI field, this field indicates the
>      type of that SA.  For notifications concerning Child SAs, this
>      field MUST contain either (2) to indicate AH or (3) to indicate
>      ESP.  Of the notifications defined in this document, the SPI is
>      included only with INVALID_SELECTORS, REKEY_SA, and
>      CHILD_SA_NOT_FOUND.  If the SPI field is empty, this field MUST be
>      sent as zero and MUST be ignored on receipt.
> 
> thus the Protocol ID field indicates the protocol id for the SA
> indicated by the SPI field, thus Protocol ID and SPI are always going
> together, and as REKEY_SA and CHILD_SA_NOT_FOUND are those few ones
> that have Protocol ID and SPI non-zero you need to copy them.
> 
> You could submit an errata saying that
> 
>                  The SA that the
>   initiator attempted to rekey is indicated by the SPI field in the
>   Notify payload, which is copied from the SPI field in the REKEY_SA
>   notification.
> 
> should say
> 
>                  The SA that the initiator attempted to rekey is
>   indicated by the Protocol ID and SPI fields in the Notify payload,
>   which are copied from the Protocol ID and SPI fields in the REKEY_SA
>   notification.
> -- 
> kivinen at iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec at ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20230615/5e2aff88/attachment.htm>

More information about the Swan-dev mailing list