Yoav Nir writes: > I wish that were true, but here's what the draft says about > INVALID_SYNTAX > > INVALID_SYNTAX 7 > Indicates the IKE message that was received was invalid because > some type, length, or value was out of range or because the > request was rejected for policy reasons. To avoid a denial of > service attack using forged messages, this status may only be > returned for and in an encrypted packet if the message ID and > cryptographic checksum were valid. > > This "or because the request was rejected for policy reasons means > that even perfectly good implementations might get an INVALID_SYNTAX. > I don't know why this is so, but that's the way it is in RFC 4306 as > well.
I do not think it should be sent because of policy reasons, as we do have specific errors (authentication failed, no proposal chosen and ts unacceptable etc). I have not seen anybody sending this because of policy reasons, only case where I have seen this was in interops when someone send some broken packets to other end. I think we should remove the "for policy reasons" part and specify that this is only used in protocol error situations. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
