Discussion:
strongswan: charon not reacting for higher major version in IKE header
gowrishankar
2012-06-30 07:13:11 UTC
Permalink
strongswan: charon not reacting for higher major version in IKE header

strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.

As per RFC 4306 Section 2.5:
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.

and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).

I tested with strongswan based on 4.6.

Can some one have a look on this ?

Thanks,
Gowri Shankar
Andreas Steffen
2012-06-30 15:08:55 UTC
Permalink
Hi Gowri,

have a look at the following piece of code in the git repository

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409

which is the basis of today's strongSwan 5.0.0 release.

Regards

Andreas
Post by gowrishankar
strongswan: charon not reacting for higher major version in IKE header
strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.
and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).
I tested with strongswan based on 4.6.
Can some one have a look on this ?
Thanks,
Gowri Shankar
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
gowrishankar
2012-06-30 18:05:52 UTC
Permalink
Hi Andreas,

I tested in strongswan-5.0.0rc1 as well, but same problem.
I'll debug some more and post here updates.

Thanks,
Gowri Shankar
Post by Andreas Steffen
Hi Gowri,
have a look at the following piece of code in the git repository
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
which is the basis of today's strongSwan 5.0.0 release.
Regards
Andreas
Post by gowrishankar
strongswan: charon not reacting for higher major version in IKE header
strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.
and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).
I tested with strongswan based on 4.6.
Can some one have a look on this ?
Thanks,
Gowri Shankar
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Andreas Steffen
2012-06-30 18:41:19 UTC
Permalink
Are you using the charon daemon with the socket-raw plugin which
filters and processes IKE major version 2 only or the socket-default
plugin which processes all IKE packets irrespective of the major
version? ipsec statusall shows which plugin is loaded.

Regards

Andreas
Post by gowrishankar
Hi Andreas,
I tested in strongswan-5.0.0rc1 as well, but same problem.
I'll debug some more and post here updates.
Thanks,
Gowri Shankar
Post by Andreas Steffen
Hi Gowri,
have a look at the following piece of code in the git repository
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
which is the basis of today's strongSwan 5.0.0 release.
Regards
Andreas
Post by gowrishankar
strongswan: charon not reacting for higher major version in IKE header
strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.
and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).
I tested with strongswan based on 4.6.
Can some one have a look on this ?
Thanks,
Gowri Shankar
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
gowrishankar
2012-07-01 05:15:17 UTC
Permalink
Hi Andreas,
Thanks a lot! Yes, It was using socket-raw (as pluto is also configured)
. I disabled
explicitly in configure option and enabled socket-default, and seeing
invalid version
notification correctly.

Jun 30 17:04:35 09[ENC] parsing rule 3 U_INT_4
Jun 30 17:04:35 09[ENC] => 3
...
Jun 30 17:04:35 09[ENC] parsing HEADER payload finished
Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request
Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from
y:y:y:1::1, sending INVALID_MAJOR_VERSION


Thanks,
Gowri Shankar
Post by Andreas Steffen
Are you using the charon daemon with the socket-raw plugin which
filters and processes IKE major version 2 only or the socket-default
plugin which processes all IKE packets irrespective of the major
version? ipsec statusall shows which plugin is loaded.
Regards
Andreas
Post by gowrishankar
Hi Andreas,
I tested in strongswan-5.0.0rc1 as well, but same problem.
I'll debug some more and post here updates.
Thanks,
Gowri Shankar
Post by Andreas Steffen
Hi Gowri,
have a look at the following piece of code in the git repository
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
which is the basis of today's strongSwan 5.0.0 release.
Regards
Andreas
Post by gowrishankar
strongswan: charon not reacting for higher major version in IKE header
strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.
and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).
I tested with strongswan based on 4.6.
Can some one have a look on this ?
Thanks,
Gowri Shankar
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
gowrishankar
2012-07-01 06:30:15 UTC
Permalink
Hi Andreas,
I also realised now that, both charon and pluto can now be enabled
together wrt socket receiving side (and it was earlier a problem as in

http://wiki.strongswan.org/issues/123

and fixed in 4.5.0.

My another question here is, should charon-raw plugin report invalid
version notification instead of dropping the packet ?

Thanks,
Gowri Shankar
Post by gowrishankar
Hi Andreas,
Thanks a lot! Yes, It was using socket-raw (as pluto is also
configured) . I disabled
explicitly in configure option and enabled socket-default, and seeing
invalid version
notification correctly.
Jun 30 17:04:35 09[ENC] parsing rule 3 U_INT_4
Jun 30 17:04:35 09[ENC] => 3
...
Jun 30 17:04:35 09[ENC] parsing HEADER payload finished
Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request
Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from
y:y:y:1::1, sending INVALID_MAJOR_VERSION
Thanks,
Gowri Shankar
Post by Andreas Steffen
Are you using the charon daemon with the socket-raw plugin which
filters and processes IKE major version 2 only or the socket-default
plugin which processes all IKE packets irrespective of the major
version? ipsec statusall shows which plugin is loaded.
Regards
Andreas
Post by gowrishankar
Hi Andreas,
I tested in strongswan-5.0.0rc1 as well, but same problem.
I'll debug some more and post here updates.
Thanks,
Gowri Shankar
Post by Andreas Steffen
Hi Gowri,
have a look at the following piece of code in the git repository
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
which is the basis of today's strongSwan 5.0.0 release.
Regards
Andreas
Post by gowrishankar
strongswan: charon not reacting for higher major version in IKE header
strongswan libcharon is found to be not reacting for invalid (or
higher) major version in IKE header of received packet.
If an endpoint receives a message with a higher major version number,
it MUST drop the message and SHOULD send an unauthenticated
notification message containing the highest version number it
supports.
and RFC 5996 Section 2.5 clarifies the notification message type as
"INVALID_MAJOR_VERSION". Though current implementation shows
portion of code libcharon/network/receiver.c, but it is not executing
while sending IKE_SA_INIT request with invalid major version (and
I am not seeing any debug info in charon.log for received packet
by net or enc threads).
I tested with strongswan based on 4.6.
Can some one have a look on this ?
Thanks,
Gowri Shankar
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Andreas Steffen
2012-07-01 07:54:05 UTC
Permalink
Hi Gowri,

since with the introduction of strongSwan 5.0.0 the pluto daemon has
gone away, there is no need for the socket-raw plugin any more and as a
consequence we are not willing invest any development effort into it.

Regards

Andreas
Post by gowrishankar
Hi Andreas,
I also realised now that, both charon and pluto can now be enabled
together wrt socket receiving side (and it was earlier a problem as in
http://wiki.strongswan.org/issues/123
and fixed in 4.5.0.
My another question here is, should charon-raw plugin report invalid
version notification instead of dropping the packet ?
Thanks,
Gowri Shankar
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...