Bug 1118121 - [TAHI][IKEv2] IKEv2.EN.R.1.1.11.4: IKEv2 device should ignore an IKE request message whose Response bit is set.
Summary: [TAHI][IKEv2] IKEv2.EN.R.1.1.11.4: IKEv2 device should ignore an IKE request ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.1
Hardware: All
OS: Linux
high
high
Target Milestone: beta
: 7.1
Assignee: Paul Wouters
QA Contact: Hangbin Liu
URL:
Whiteboard:
Depends On:
Blocks: 1049095
TreeView+ depends on / blocked
 
Reported: 2014-07-10 03:19 UTC by Hangbin Liu
Modified: 2015-11-03 10:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-23 02:47:14 UTC


Attachments (Terms of Use)
test log (52.20 KB, text/html)
2014-07-10 03:19 UTC, Hangbin Liu
no flags Details

Description Hangbin Liu 2014-07-10 03:19:21 UTC
Created attachment 916986 [details]
test log

Description of problem:
RFC 4306 Section 2.21:
  If a node receives a message on UDP port 500 or 4500 outside the
  context of an IKE_SA known to it (and not a request to start one), it
  may be the result of a recent crash of the node. If the message is
  marked as a response, the node MAY audit the suspicious event but MUST
  NOT respond.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

       NUT                  TN1
    (End-Node)           (End-Node)
        |                    |
        |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
        |                    | (Judgement #1)
        |---------X          | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
        |                    | (Packet #1)
        |                    |
        V                    V

    Packet #1 	See Common Packet #1
    Response bit is set to one.

  Part A (BASIC)
     1. TN starts to negotiate with NUT by sending IKE_SA_INIT request whose Response bit is
         set to one.
     2. Observe the messages transmitted on Link A.

Actual results:
The NUT responds an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Expected results:
The NUT never responds with an IKE_SA_INIT response to an IKE_SA_INIT request from the TN1.

Additional info:

Comment 1 Paul Wouters 2014-09-18 03:37:35 UTC
There was a logic bug in version before libreswan-3.10 that could cause responding to a packet with the Response flag set. Is it possible to re-run this test against libreswan-3.10-3 ?

Comment 2 Hangbin Liu 2014-09-18 07:23:18 UTC
(In reply to Paul Wouters from comment #1)
> There was a logic bug in version before libreswan-3.10 that could cause
> responding to a packet with the Response flag set. Is it possible to re-run
> this test against libreswan-3.10-3 ?

Sure, no problem. I will let you know the result after re-run.

Comment 3 Hangbin Liu 2014-10-23 02:47:14 UTC
Rerun with libreswan-3.10-2.el7 and test passed now, no response found.

[1] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/
[2] http://10.66.13.78/IKEv2/IKEv2_ENODE_201_rhel7_pass/201.html


Note You need to log in before you can comment on or make changes to this bug.