Scott C Moonen writes:
I'm curious how IKEv2-only implementations have approached the problem of
dealing with IKEv1 proposals. IKEv2 defines an INVALID_MAJOR_VERSION
notify, but it only carries a maximum version and not a minimum version. (I
wonder if that is an oversight.) IKEv1 (in RFC 2408) defines an
INVALID-MAJOR-VERSION notify which MAY be sent. The RFC does not discuss
whether the notify carries any data.
If you have IKEv2-only implementation then you do not support IKEv1,
thus you cannot really even parse incoming IKEv1 messages or generate
response IKEv1 messages, so most likely you should silently discard
the packet.
If I wanted to send an IKEv1 not supported indication from an IKEv2-only
daemon, I think I would use the IKEv1 INVALID-MAJOR-VERSION notify and not
send any SPI or notification data in the payload.
I.e. you implement minimal IKEv1 implementation in your IKEv2-only
implementation which knows how to get IKEv1 packet in, and response to
it that INVALID-MAJOR-VERSION in IKEv1.
How have existing IKEv2-only implementations approached this? Do you ignore
IKEv1 messages, or do you send an error notification in response?
In our case we do response with the same protocol (i.e if incoming
messages are in IKEv1, we reply with IKEv1). As our implementation
also do support IKEv1, even when it is disabled by policy, we do not
answer with INVALID-MAJOR-VERSION. In our case we just reply with
similar error which we use when the policy does not match
(NO-PROPOSAL-CHOSEN), i.e. we interpret the IKE version as part of the
policy, just as encryption algorithm etc would be.
For your case if you really have IKEv2-only implementation, I do not
think there is any good interoperable way to solve the issue. Most
likely sending the minimal IKEv1 reply with INVALID-MAJOR-VERSION
would be best, as at least that can be parsed by the initiator sending
IKEv1 messages, and will most likely be shown in the logs, so
adminstrators can then reconfigure the system to try with IKEv2,
provided the implementation supports IKEv2. On the other hand if the
implementation supports IKEv2, it should first try with that as there
is clearly defined fall-back mechanims from IKEv2 to IKEv1.
--
kivi...@iki.fi
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec