Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1118121

Summary: [TAHI][IKEv2] IKEv2.EN.R.1.1.11.4: IKEv2 device should ignore an IKE request message whose Response bit is set.
Product: Red Hat Enterprise Linux 7 Reporter: Hangbin Liu <haliu>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Hangbin Liu <haliu>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: arubin, omoris
Target Milestone: beta   
Target Release: 7.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-23 02:47:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1049095    
Attachments:
Description Flags
test log none

Description Hangbin Liu 2014-07-10 03:19:21 UTC 
Created attachment 916986 [details]
test log

Description of problem:
RFC 4306 Section 2.21:
  If a node receives a message on UDP port 500 or 4500 outside the
  context of an IKE_SA known to it (and not a request to start one), it
  may be the result of a recent crash of the node. If the message is
  marked as a response, the node MAY audit the suspicious event but MUST
  NOT respond.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

       NUT                  TN1
    (End-Node)           (End-Node)
        |                    |
        |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
        |                    | (Judgement #1)
        |---------X          | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
        |                    | (Packet #1)
        |                    |
        V                    V

    Packet #1 	See Common Packet #1
    Response bit is set to one.

  Part A (BASIC)
     1. TN starts to negotiate with NUT by sending IKE_SA_INIT request whose Response bit is
         set to one.
     2. Observe the messages transmitted on Link A.

Actual results:
The NUT responds an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Expected results:
The NUT never responds with an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Additional info:
Comment 1 Paul Wouters 2014-09-18 03:37:35 UTC 
There was a logic bug in version before libreswan-3.10 that could cause responding to a packet with the Response flag set. Is it possible to re-run this test against libreswan-3.10-3 ?
Comment 2 Hangbin Liu 2014-09-18 07:23:18 UTC 
(In reply to Paul Wouters from comment #1)
> There was a logic bug in version before libreswan-3.10 that could cause
> responding to a packet with the Response flag set. Is it possible to re-run
> this test against libreswan-3.10-3 ?

Sure, no problem. I will let you know the result after re-run.
Comment 3 Hangbin Liu 2014-10-23 02:47:14 UTC 
Rerun with libreswan-3.10-2.el7 and test passed now, no response found.

[1] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/
[2] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/201.html