[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: [IPsec] INVALID_IKE_SPI questions
From: Tero Kivinen <kivinen () iki ! fi>
Date: 2008-09-24 10:42:05
Message-ID: 18650.6525.154879.851858 () fireball ! kivinen ! iki ! fi
[Download RAW message or body]
Keith Welter writes:
> For the one-way INVALID_IKE_SPI notification described in RFC 4306 section
> 1.5, it is unclear to me what the Exchange Type should be in the IKE
> header. Should it be 37 (INFORMATIONAL) or should it be copied from the
> request that contained the unrecognized SPI?
From RFC 4306 section 2.21:
If a node receives a message on UDP port 500 or 4500 outside the
context of an IKE_SA known to it (and not a request to start one), it
may be the result of a recent crash of the node. If the message is
marked as a response, the node MAY audit the suspicious event but
MUST NOT respond. If the message is marked as a request, the node
MAY audit the suspicious event and MAY send a response. If a
response is sent, the response MUST be sent to the IP address and
port from whence it came with the same IKE SPIs and the Message ID
copied. The response MUST NOT be cryptographically protected and
MUST contain a Notify payload indicating INVALID_IKE_SPI.
As the text says you copy IKE SPIs and Message ID, I would interpret
that response being normal error response, meaning that the exchange
type is also copied. Perhaps this should be clarified in the IKEv2bis?
--
kivinen@safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic