On Sep 7, 2009, at 3:48 PM, Tero Kivinen wrote:
> Keith Welter writes:
>> I would not expect INVALID_SYNTAX to cause the IKE SA to be deleted
>> either.
>
> I do consider INVALID_SYNTAX fatal error, meaning the IKE SA will be
> deleted immediately after sending that response containing
> INVALID_SYNTAX and if I receive INVALID_SYNTAX notification I will
> immediately silently delete the IKE SA.
>
> INVALID_SYNTAX can only happen in if there bugs in implementations.
> There is no way it could happen during normal operation, and it is
> also error which does NOT go way. I.e. if other end has bug that it
> sends payload whose for example payload length exceeds the packet
> length, that error will not go away even if we ignore the exchange.
<snip/>
I wish that were true, but here's what the draft says about
INVALID_SYNTAX
INVALID_SYNTAX 7
Indicates the IKE message that was received was invalid because
some type, length, or value was out of range or because the
request was rejected for policy reasons. To avoid a denial of
service attack using forged messages, this status may only be
returned for and in an encrypted packet if the message ID and
cryptographic checksum were valid.
This "or because the request was rejected for policy reasons means
that even perfectly good implementations might get an INVALID_SYNTAX.
I don't know why this is so, but that's the way it is in RFC 4306 as
well.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
