Tero Kivinen writes: > Michael Richardson writes: > > Yoav Nir wrote: > > > Hi Raj > > > > > > Matt is correct. There is no way in IKEv2 to do a phase1-only exchange, > > > and then wait for traffic to establish the child SAs. > > > > > > While we do establish an IKE SA if the piggy-backed child SA failed for > > > whatever reason (bad selectors, no proposal chosen), we don't allow for > > > an IKE_AUTH exchange that is missing the child payloads. > > > > > > An IKE_AUTH request without the TSi and TSr payloads is > > > considered malformed, and so MUST NOT be processed. Instead, you should > > > reply with INVALID_SYNTAX > > > > That really seems like a bug in the spec to me. > > I know that in my code I don't get upset about such a situation, as I > > have unit test cases that were written when I didn't have child SA code > > at all. I wonder how many implementations really would get upset? > > We do. > > First thing we do when we receive packet, is to check that all > mandatory payloads (ID, SA, TSi, TSr) are present, and if they are > not, we immediately fail the exchange with INVALID_SYNTAX error. > > Also our API is built so that it is immediately to even start IKE SA > creation at all, you start Child SA creation and that automatically > also creates the IKE SA if that is not yet done. > > Also I do not consider that bug in specification. The idea is that you > do not create IKE SA before you actually need it, thus only when you > need Child SA.
We also verify that all mandatory payloads are present before processing a message and respond with INVALID_SYNTAX if they are not. Dave Wierbowski
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
