> "Tero" == Tero Kivinen writes:
>> The INVALID_SYNTAX notify in response to missing payload in
>> IKE_AUTH should be send encrypted using DH keys or unencrypted ?
Tero> As it is clear that other end is not following the
Tero> specification, i.e. there is bug on the other en
raj singh writes:
> The INVALID_SYNTAX notify in response to missing payload in IKE_AUTH should
> be send encrypted using DH keys or unencrypted ?
As it is clear that other end is not following the specification, i.e.
there is bug on the other end, there is no need to think that much
what you shou
Hi Team,
One more question.
The INVALID_SYNTAX notify in response to missing payload in IKE_AUTH should
be send encrypted using DH keys or unencrypted ?
Thanks,
raj
On Fri, May 15, 2009 at 10:12 AM, raj singh wrote:
> Hi Yoav,
>
> If check for mandatory payloads per exchange type is MUST, if i
Hi Yoav,
If check for mandatory payloads per exchange type is MUST, if it fails we
MUST return INVALID_SYNTAX, why we are not saying it explicitly in the draft
? Putting it clearly in the draft make more sense and avoids many
confusions.
Thanks,
Raj
On Wed, May 6, 2009 at 7:24 PM, Yoav Nir wro
Yoav Nir writes:
> A far more common situation is when I'm "outside", not moving
> anywhere, and I want to connect. I haven't even opened my mail
> client yet, or launched the browser (because those thing hate it
> when the VPN client changes routing to addresses they are trying to
> reach).
>
>
Michael Richardson writes:
>
> Let me suggest a situation where perhaps I would like to bring up
> an IKE_SA and not a CHILD_SA: it might be for just sending initial
> contact, and perhaps even a DELETE.
>
> I sometimes move quickly from being "outside" my IPsec gateway/firewall
> (such as being
Hi Michael
> Let me suggest a situation where perhaps I would like to
> bring up an IKE_SA and not a CHILD_SA: it might be for just
> sending initial contact, and perhaps even a DELETE.
>
> I sometimes move quickly from being "outside" my IPsec
> gateway/firewall (such as being on wireless),
Tero Kivinen writes:
> Michael Richardson writes:
> > Yoav Nir wrote:
> > > Hi Raj
> > >
> > > Matt is correct. There is no way in IKEv2 to do a phase1-only
exchange,
> > > and then wait for traffic to establish the child SAs.
> > >
> > > While we do establish an IKE SA if the piggy-backed child S
Michael Richardson writes:
> Yoav Nir wrote:
> > Hi Raj
> >
> > Matt is correct. There is no way in IKEv2 to do a phase1-only exchange,
> > and then wait for traffic to establish the child SAs.
> >
> > While we do establish an IKE SA if the piggy-backed child SA failed for
> > whatever reas
Let me suggest a situation where perhaps I would like to bring up
an IKE_SA and not a CHILD_SA: it might be for just sending initial
contact, and perhaps even a DELETE.
I sometimes move quickly from being "outside" my IPsec gateway/firewall
(such as being on wireless), to being wired behind the g
Michael Richardson wrote:
> Yoav Nir wrote:
> > Hi Raj
> >
> > Matt is correct. There is no way in IKEv2 to do a phase1-only
> > exchange, and then wait for traffic to establish the child SAs.
> >
> > While we do establish an IKE SA if the piggy-backed child SA failed
> > for whatever reason
Yoav Nir wrote:
Hi Raj
Matt is correct. There is no way in IKEv2 to do a phase1-only exchange,
and then wait for traffic to establish the child SAs.
While we do establish an IKE SA if the piggy-backed child SA failed for
whatever reason (bad selectors, no proposal chosen), we don't allow
Hi Tero,
It make sense.
The same point i want to make, if we as a responder are not going to process
the packet,
there is NO need to add IDr and AUTH with INVALID_SYNTAX during IKE_AUTH.
Regards,
Raj
On Wed, Apr 22, 2009 at 4:43 PM, Tero Kivinen wrote:
> Matthew Cini Sarreo writes:
> > You sti
Matthew Cini Sarreo writes:
> You still need the IDr and AUTH payloads in the reply. This is needed as
> INVALID_SYNTAX is authenticated and encrypted.
INVALID_SYNTAX is fatal error meaning that other end didn't follow the
protocol specification, and the IKE SA is going to be removed anyways,
and
Hi Matt,
Buy as per Youv, we should not process the request.
Is that means, that we will not process the request but send IDr and AUTH
payloads ?
Thanks,
Raj
On Wed, Apr 22, 2009 at 2:48 PM, Matthew Cini Sarreo wrote:
> Hello Raj,
>
> You still need the IDr and AUTH payloads in the reply. This
Hi Matt/Youv,
Thanks for your reply.
I will conclude as IKE_AUTH exchange MUST have TSi and TSr payload. We MUST
NOT process IKE_AUTH packet without TSi and TSr and we should reply with
INVALID_SYNTAX notification without IDr, AUTH, TSi and TSr payloads.
Regards,
Raj
On Wed, Apr 22, 2009 at 1:11
Hello Raj,
You still need the IDr and AUTH payloads in the reply. This is needed as
INVALID_SYNTAX is authenticated and encrypted.
Regards,
Matt
2009/4/22 raj singh
> Hi Matt/Youv,
>
> Thanks for your reply.
> I will conclude as IKE_AUTH exchange MUST have TSi and TSr payload. We MUST
> NOT pr
Hi Raj
Matt is correct. There is no way in IKEv2 to do a phase1-only exchange, and
then wait for traffic to establish the child SAs.
While we do establish an IKE SA if the piggy-backed child SA failed for
whatever reason (bad selectors, no proposal chosen), we don't allow for an
IKE_AUTH excha
Hi Matt,
Let me re-phrase my questions:
1. If there is no TSi and TSr payload in IKE_AUTH exchange, whether we go
ahead and process IKE_AUTH payloads or not ?
2. Appendix C: IKE_AUTH: Error in CHILD SA creation. It will come into
picture if we process the packet.
If we go ahead and process the
Hello Raj,
According to Appendix C, for IKE_AUTH:
error in Child SA <-- IDr, [CERT+],
creationAUTH,
N(error),
[V+]
So sending an authenticated and encrypted INVALID_SYNTAX notification over
the IKE_SA that has ju
Hi Matt,
There is possibility of just IKEv2 SA gets established during IKE_AUTH and
IPsec SA getting established via CREATE_CHILD_SA.
The question is what behavior RFC mandate ? What you think ?
Thanks for your reply.
Regards,
Raj
On Wed, Apr 22, 2009 at 11:40 AM, Matthew Cini Sarreo wrote:
>
In IKE_AUTH TSi and TSr are mandatory, so it is not possible to omit them
from an authentication exchange message, as there would be no way for the SA
to know what traffic should be forwarded through the SA.
It seems that the correct error message would be INVALID_SYNTAX. This would
require the me
Hi Group,
What is the expected behavior if as a responder we do not receive TSi and
TSr in IKE_AUTH exchange ?
Shall we go ahead and establish IKEv2 SA ? If yes, shall we send out TSi and
TSr ?
Or we should reject the packet ?
If we reject the packet during packet validation with doing ID and AUTH
23 matches
Mail list logo
