Bug 1118121
Summary: | [TAHI][IKEv2] IKEv2.EN.R.1.1.11.4: IKEv2 device should ignore an IKE request message whose Response bit is set. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Hangbin Liu <haliu> | ||||
Component: | libreswan | Assignee: | Paul Wouters <pwouters> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Hangbin Liu <haliu> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.1 | CC: | arubin, omoris | ||||
Target Milestone: | beta | ||||||
Target Release: | 7.1 | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-10-23 02:47:14 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1049095 | ||||||
Attachments: |
|
There was a logic bug in version before libreswan-3.10 that could cause responding to a packet with the Response flag set. Is it possible to re-run this test against libreswan-3.10-3 ? (In reply to Paul Wouters from comment #1) > There was a logic bug in version before libreswan-3.10 that could cause > responding to a packet with the Response flag set. Is it possible to re-run > this test against libreswan-3.10-3 ? Sure, no problem. I will let you know the result after re-run. Rerun with libreswan-3.10-2.el7 and test passed now, no response found. [1] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/ [2] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/201.html |
Created attachment 916986 [details] test log Description of problem: RFC 4306 Section 2.21: If a node receives a message on UDP port 500 or 4500 outside the context of an IKE_SA known to it (and not a request to start one), it may be the result of a recent crash of the node. If the message is marked as a response, the node MAY audit the suspicious event but MUST NOT respond. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: NUT TN1 (End-Node) (End-Node) | | |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Judgement #1) |---------X | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr) | | (Packet #1) | | V V Packet #1 See Common Packet #1 Response bit is set to one. Part A (BASIC) 1. TN starts to negotiate with NUT by sending IKE_SA_INIT request whose Response bit is set to one. 2. Observe the messages transmitted on Link A. Actual results: The NUT responds an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1. Expected results: The NUT never responds with an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1. Additional info: