Panwei \(William\) writes: > The handling I suggest is as follows: > > 1) if all KE methods proposed by the initiator are unknown to the > responder, i.e., no KE method is acceptable, then the responder replies > NO_PROPOSAL_CHOSEN, no matter what KE method is used in the KE payload. > > 2) if at least one acceptable KE method is included in the initiator’s > proposals, the responder can select one acceptable KE method, ignore the > unknown KE methods, and perform the next step of KE Payload processing. > > 2.1) if the KE method used in the KE payload happens to be the same as > this selected KE method, then the responder normally replies with this > selected KE method and the corresponding KE payload. > > 2.2) if the KE method used in the KE payload is different from this > selected KE method, then the responder replies INVALID_KE_PAYLOAD with this > selected KE method, regardless of whether the KE method used in the KE payload > is known or unknown to the responder.
This is correct processing. Note, that any unknown KE method cannot be accaptable for the policy, thus they are not allowed by the policy, and if there are any KE methods which are acceptable to policy we use that, and if the KE payload is not using that you send INVALID_KE_PAYLOAD and indicate the KE method you want to use. This processing is same for the known and unknown KE methods, there is no difference there. Of course the initiator will include the exactly same SA payload listing all those unknown KE methods when it retries with the KE method listed in the INVALID_KE_PAYLOAD. > However, others suggest that the responder should terminate the IKE > exchange without reply, when the KE method used in the KE payload is > unknown to the responder, even if there are other acceptable KE > methods proposed in the SA payload. If there is anything in the RFC7296 that would suggest that kind of processing is valid, we need to fix that. The RFC7296 tries to be extendable, thus it tries to ignore unknown values, and process things without them. For example in implementation I was familiar with there were not unknown algorithms, all values for algorithms or methods were valid from IKEv2 point of view, and those values were then matched against policy, but of course policy only allowed values that implementation actually recognized... > Because they feel the unknown KE method in the KE payload means that > the whole packet is an invalid packet, and discarding this packet is > the thing to do. I have no idea where they think RFC7296 says anything like that. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
