Hi,
We have implemented TCP but are running in some issues where the RFC and
the bis draft does not give us clarify.
If the IKE_INIT over TCP gets back an INVALID_KE, what is supposed to
happen? Is the responder expected to close the TCP session, since it
never created a state for this exchange? Is the initiator expected
to re-use the TCP connection to send a fresh new IKE_INIT request
with the proper KE ? This case is similar to the COOKIE case, but
there the initiator is expected to keep state and re-use, except
one is not supposed to trigger COOKIES on TCP.
Note I think this sentence is incorrect:
Moreover, a TCP Responder creates state once a SYN packet is received
libreswan listens on the TCP socket, but for INVALID_KE responses it
creates a response without creating a state.
Similarly, when IKE_AUTH fails with NO_PROPOSAL_CHOSEN or
AUTHENTICATION_FAILED, who is responsible for closing the TCP socket?
The initiator or the responder?
Perhaps a similar issue happens when an IKE lifetime is reached before
a rekey or re-auth happened. But in that case I guess the party sending
the delete can linger briefly for the reply and then close the socket
if it didn't get closed by the responder to the delete request.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
