We ran into an issue where we received a REKEY_SA notify with a bad protocol id,
eg not ESP or AH. What do we do?
1) CHILD_SA_NOT_FOUND, but what should we put in the proto id field? 0 ? the
bogus value?
2) It's bad, so INVALID_SYNTAX
When doing 1, we will see:
Responder uses bad protocol id - Initiator can quietly delete child sa.
But it forces us to send something violating the RFC.
Or Responder uses ESP or AH protocol id? Initiator will now be upset,
and possible send a new informational with a notify with INVALID_SYNTAX
or DELETE. If INVALID_SYNTAX, it will take down everything.
When doing 2, it guarantees everything will be taken down.
Ideally, we would like to "ignore" the REKEY_SA, and leave the IKE and
existing Child SAs up. But that means we need to lie about protocol id,
and we currently have guards in our code to protect against that.
Thoughts?
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
