[IPsec] libreswan-ciso interoperability issue with IKEv2 Notify
Paul Wouters <paul@nohats.ca> Sat, 17 October 2020 17:03 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 839933A11F4 for <ipsec@ietfa.amsl.com>; Sat, 17 Oct 2020 10:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaJEXgaE3w8o for <ipsec@ietfa.amsl.com>; Sat, 17 Oct 2020 10:03:30 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 925B23A0FBD for <ipsec@ietf.org>; Sat, 17 Oct 2020 10:03:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4CD8VR2Xv8zFVP for <ipsec@ietf.org>; Sat, 17 Oct 2020 19:03:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1602954207; bh=sLKwflKsZ/4eoyIsU9c/XSlPNtN+DU7hxhaYNc93VoQ=; h=Date:From:To:Subject; b=flIHrjI0pUnHuX3zedGvTyjAUxXvmqYK1ckVYWV4NF74NbDizE+Wi1Xl4jSdlAU60 DvBnlDJFFkuFxrOqmoqTZPrm6m1R6p+Oe8mNJFfMIcsyl6f+nsVe65R4v8/yo+8m+C tVLg7CDITIrygApopZqO4NNdNWLsbc/tRYbdPcOs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id r3orhGHbXlzl for <ipsec@ietf.org>; Sat, 17 Oct 2020 19:03:26 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Sat, 17 Oct 2020 19:03:26 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5B0446029B99; Sat, 17 Oct 2020 13:03:24 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 52BD68A8 for <ipsec@ietf.org>; Sat, 17 Oct 2020 13:03:24 -0400 (EDT)
Date: Sat, 17 Oct 2020 13:03:24 -0400
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <alpine.LRH.2.23.451.2010171256340.2239493@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Yge_TFhOUbgOvZiVVsWFkIRiLaU>
Subject: [IPsec] libreswan-ciso interoperability issue with IKEv2 Notify
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2020 17:03:33 -0000
Yesterday we ran into an interoperability issue with Cisco. Libreswan split out the Notify Protocol ID values from the Delete Protocol ID values and Proposal Protocol ID values. While these "registries" are basically the same, they are subtly different. We basically changed it like this: -extern enum_names ikev2_sec_proto_id_names; +extern enum_names ikev2_proposal_protocol_id_names; /* 1=IKE SA, 2=AH, 3=ESP */ +extern enum_names ikev2_delete_protocol_id_names; /* 1=IKE SA, 2=AH, 3=ESP */ +extern enum_names ikev2_notify_protocol_id_names; /* NONE=0, 2=AH, 3=ESP; NOT IKE! */ Note that Notify payloads cannot have Protocol ID set to 1. However, this is what Cisco is sending. Libreswan incorrectly did not ignore this, resulting in these two bugs causing an interop failure. We have fixed our code to handle this, but it would be good if Cisco fixed their bug as well, and for other implementations to have a look if they perhaps made a similar mistake. Paul
- [IPsec] libreswan-ciso interoperability issue wit… Paul Wouters