Assume a responder which currently *implements* IKEv1 and IKEv2. Consider the cases: A) it has a global policy set to reject all IKEv1 connections. B) it has a global policy set to reject all IKEv2 connections. C) a specific policy (for a specific peer, identified by IP address) has a policy to use IKEv1 only. D) a specific policy (for a specific peer, identified by IP address) has a policy to use IKEv2 only. E) a specific policy (for a generic peer, identified by ID) has a policy to use IKEv1 only. F) a specific policy (for a generic peer, identified by ID) has a policy to use IKEv2 only.
Perhaps cases B,D and F seem silly today, but assume "IKEv3" came along, except that likely we would retain the packet format, so it would be less weird. (Or perhaps the people who worry about Quantum Cryptography are suddenly proven right, and IKEv1's perverted main-mode with PSK *is* stronger) I think that there is a significant tension between providing some useful diagnostics to the other end vs telling too much about our policy. I also consider that given code is already present, that it may be better to proceed to parent SA established, and send a private message about wrong version number. A1) Upon receipt of an IKEv1 message, such a peer should reply with an IKEv1 format notify INVALID-MAJOR-VERSION. Seems perverse to use IKEv1 to say, "I do not speak IKEv1" {"En puhuto sumalainen"} A2) Upon receipt of an IKEv1 message, such a peer should reply with an IKEv2 format notify INVALID_MAJOR_VERSION (n=m=2). This is what a pure IKEv2 implementation would respond with, but which an IKEv1 initiator would not understand. B1) Upon receipt of an IKEv2 message, such a peer should reply with an IKEv2 format notify INVALID-MAJOR-VERSION (n=m=1). B2) Upon receipt of an IKEv2 message, such a peer should reply with an IKEv1 format notify INVALID-MAJOR-VERSION. This is what a pure IKEv1 implementation would respond with. C) since we can identify the policy by IP address, we can respond, but do we respond with A1 or A2? For other IP addresses we may well support the requested version. D) ditto for C. E) upon receipt of IKEv2 message, we have to proceed until we can process the ID in the I1. Having done, we notice the PAD says not to do IKEv2, so reply in IKEv2, saying... INVALID_MAJOR_VERSION? Or NO_PROPOSOL_CHOSEN? F1) upon receipt of an IKEv1 MAIN MODE message, we have to proceed until we can see the ID, which means getting the I3 message. And then INVALID-MAJOR-VERSION? We may well be able to authenticate the peer! F2) upon receipt of an IKEv1 AGGRESSIVE MODE message, we process until we can see the ID, and then INVALID-MAJOR-VERSION? -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec