Bug 1118121

Summary: [TAHI][IKEv2] IKEv2.EN.R.1.1.11.4: IKEv2 device should ignore an IKE request message whose Response bit is set.
Product: Red Hat Enterprise Linux 7 Reporter: Hangbin Liu <haliu>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Hangbin Liu <haliu>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: arubin, omoris
Target Milestone: beta   
Target Release: 7.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-23 02:47:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1049095    
Attachments:
Description Flags
test log none

Description Hangbin Liu 2014-07-10 03:19:21 UTC 
Created attachment 916986 [details]
test log

Description of problem:
RFC 4306 Section 2.21:
  If a node receives a message on UDP port 500 or 4500 outside the
  context of an IKE_SA known to it (and not a request to start one), it
  may be the result of a recent crash of the node. If the message is
  marked as a response, the node MAY audit the suspicious event but MUST
  NOT respond.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

       NUT                  TN1
    (End-Node)           (End-Node)
        |                    |
        |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
        |                    | (Judgement #1)
        |---------X          | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
        |                    | (Packet #1)
        |                    |
        V                    V

    Packet #1 	See Common Packet #1
    Response bit is set to one.

  Part A (BASIC)
     1. TN starts to negotiate with NUT by sending IKE_SA_INIT request whose Response bit is
         set to one.
     2. Observe the messages transmitted on Link A.

Actual results:
The NUT responds an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Expected results:
The NUT never responds with an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Additional info:
Comment 1 Paul Wouters 2014-09-18 03:37:35 UTC 
There was a logic bug in version before libreswan-3.10 that could cause responding to a packet with the Response flag set. Is it possible to re-run this test against libreswan-3.10-3 ?
Comment 2 Hangbin Liu 2014-09-18 07:23:18 UTC 
(In reply to Paul Wouters from comment #1)
> There was a logic bug in version before libreswan-3.10 that could cause
> responding to a packet with the Response flag set. Is it possible to re-run
> this test against libreswan-3.10-3 ?

Sure, no problem. I will let you know the result after re-run.
Comment 3 Hangbin Liu 2014-10-23 02:47:14 UTC 
Rerun with libreswan-3.10-2.el7 and test passed now, no response found.

[1] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/
[2] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/201.html