RFC 3706, which defines DPD, says:
- Security Parameter Index (16 octets) - SHOULD be set to the
cookies of the Initiator and Responder of the IKE SA (in that
order)This is only SHOULD, not MUST. In the wild, we observe that most IPsec implementations do this, but a few do not. Those commercial vendors that don't, produce DPD messages technically valid by this RFC, which OpenBSD's isakmpd rejects on grounds of invalid cookies. Find attached a patch to relax this restriction, allowing these technically-valid messages to correctly keep DPD alive. -- Paul Evans <[email protected]> Tel: +44 (0) 845 666 7778 Fax: +44 (0) 870 163 4694 http://www.mxtelecom.com
--- isakmpd/message.c Sat Jun 2 03:29:11 2007
+++ isakmpd.PATCHED/message.c Tue May 4 17:20:26 2010
@@ -914,9 +914,11 @@
}
/* Validate the SPI. XXX Just ISAKMP for now. */
+ /* Don't validate SPI for DPD messages because RFC 3706 only says SHOULD */
if (proto == ISAKMP_PROTO_ISAKMP &&
GET_ISAKMP_NOTIFY_SPI_SZ(p->p) == ISAKMP_HDR_COOKIES_LEN &&
msg->isakmp_sa &&
+ !(type == ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE || type == ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK) &&
memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies,
ISAKMP_HDR_COOKIES_LEN) != 0) {
log_print("message_validate_notify: bad cookies");
signature.asc
Description: PGP signature
