Michael Richardson writes: > Yoav Nir wrote: > > Hi Raj > > > > Matt is correct. There is no way in IKEv2 to do a phase1-only exchange, > > and then wait for traffic to establish the child SAs. > > > > While we do establish an IKE SA if the piggy-backed child SA failed for > > whatever reason (bad selectors, no proposal chosen), we don't allow for > > an IKE_AUTH exchange that is missing the child payloads. > > > > An IKE_AUTH request without the TSi and TSr payloads is > > considered malformed, and so MUST NOT be processed. Instead, you should > > reply with INVALID_SYNTAX > > That really seems like a bug in the spec to me. > I know that in my code I don't get upset about such a situation, as I > have unit test cases that were written when I didn't have child SA code > at all. I wonder how many implementations really would get upset?
We do. First thing we do when we receive packet, is to check that all mandatory payloads (ID, SA, TSi, TSr) are present, and if they are not, we immediately fail the exchange with INVALID_SYNTAX error. Also our API is built so that it is immediately to even start IKE SA creation at all, you start Child SA creation and that automatically also creates the IKE SA if that is not yet done. Also I do not consider that bug in specification. The idea is that you do not create IKE SA before you actually need it, thus only when you need Child SA. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
