#60 ISAKMP P1 delete notifications cause P2 SAs to be deleted

closed
nobody
None
5
2009-01-16
2007-01-31
Uncle Pedro
No

Phase1 PFS requires that a Phase1 (IKE) SA is allowed to protect at most 1 Phase2 (IPsec) SA negotiation.

The peer initiates an IKE negotiation followed by an IPsec negotiation -- both completing successfully. After the peer sends Quick Mode 3, it then sends an ISAKMP delete SA notification for the IKE SA that it is deleting -- that is, the one it just created and used to create the IPsec SA -- as is required by Phase1 PFS. Racoon receives this ISAKMP delete notification and deletes the IKE SA _and_ all of the IPsec SAs it just created. Thus, traffic is unable to flow.

This behavior is obviously incorrect.

Below is the tail of the log that shows the reception of an ISAKMP delete notification followed by racoon deleting both the IKE and IPsec SAs. It is clear that the ISAKMP delete notification is for an IKE SA with cookies f6b94dba62329819:a26028074c1c50d6 as seen in this post-crypto packet dump:
2007-01-31 16:59:02: DEBUG:
f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c 0c000014
33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001 f6b94dba
62329819 a2602807 4c1c50d6
To see this packet broken down and annotated, please refer to the attached file delete_notif_breakdown.txt.

Information regarding SAs created immediately prior to the reception of the aforementioned ISAKMP delete notification:
The IKE SA i-cookie:r-cookie
f6b94dba62329819:a26028074c1c50d6

The IPsec SA SPIs
--Inbound--
spi=3876058204 (0xe707f45c)
(from the log...)
2007-01-31 16:59:01: DEBUG: peer's single bundle:
2007-01-31 16:59:01: DEBUG: (proto_id=ESP spisize=4 spi=e707f45c spi_p=00000000 encmode=Tunnel reqid=0:0)
2007-01-31 16:59:01: DEBUG: (trns_id=AES encklen=128 authtype=254)

--Outbound--
spi=177458389 (0xa93ccd5)
(from the log...)
2007-01-31 16:59:01: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 30.0.0.101[0]->30.0.0.104[0] spi=177458389(0xa93ccd5)

<-- Begin log snippet -->
2007-01-31 16:59:02: DEBUG: ===
2007-01-31 16:59:02: DEBUG: 76 bytes message received from 30.0.0.101[500] to 30.0.0.104[500]
2007-01-31 16:59:02: DEBUG:
f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c aeb0fb73
bdb33a8f 1e37ee2b ed4cbfa2 db7145ac 70c93739 4e61e564 bd3728d1 ccff1cb8
d35e8c07 b1796b2b 30b8de6d
2007-01-31 16:59:02: DEBUG: receive Information.
2007-01-31 16:59:02: DEBUG: compute IV for phase2
2007-01-31 16:59:02: DEBUG: phase1 last IV:
2007-01-31 16:59:02: DEBUG:
dec3c67a 9ed57347 38bfce07
2007-01-31 16:59:02: DEBUG: hash(md5)
2007-01-31 16:59:02: DEBUG: encryption(des)
2007-01-31 16:59:02: DEBUG: phase2 IV computed:
2007-01-31 16:59:02: DEBUG:
aa911b21 c8551d85
2007-01-31 16:59:02: DEBUG: begin decryption.
2007-01-31 16:59:02: DEBUG: encryption(des)
2007-01-31 16:59:02: DEBUG: IV was saved for next processing:
2007-01-31 16:59:02: DEBUG:
b1796b2b 30b8de6d
2007-01-31 16:59:02: DEBUG: encryption(des)
2007-01-31 16:59:02: DEBUG: with key:
2007-01-31 16:59:02: DEBUG:
2a21eae1 2b20f798
2007-01-31 16:59:02: DEBUG: decrypted payload by IV:
2007-01-31 16:59:02: DEBUG:
aa911b21 c8551d85
2007-01-31 16:59:02: DEBUG: decrypted payload, but not trimed.
2007-01-31 16:59:02: DEBUG:
0c000014 33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001
f6b94dba 62329819 a2602807 4c1c50d6
2007-01-31 16:59:02: DEBUG: padding len=215
2007-01-31 16:59:02: DEBUG: skip to trim padding.
2007-01-31 16:59:02: DEBUG: decrypted.
2007-01-31 16:59:02: DEBUG:
f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c 0c000014
33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001 f6b94dba
62329819 a2602807 4c1c50d6
2007-01-31 16:59:02: DEBUG: IV freed
2007-01-31 16:59:02: DEBUG: HASH with:
2007-01-31 16:59:02: DEBUG:
38bfce07 0000001c 00000001 01100001 f6b94dba 62329819 a2602807 4c1c50d6
2007-01-31 16:59:02: DEBUG: hmac(hmac_md5)
2007-01-31 16:59:02: DEBUG: HASH computed:
2007-01-31 16:59:02: DEBUG:
33cab50d d0164719 1657785d c921cfa3
2007-01-31 16:59:02: DEBUG: hash validated.
2007-01-31 16:59:02: DEBUG: begin.
2007-01-31 16:59:02: DEBUG: seen nptype=8(hash)
2007-01-31 16:59:02: DEBUG: seen nptype=12(delete)
2007-01-31 16:59:02: DEBUG: succeed.
2007-01-31 16:59:02: DEBUG: delete payload for protocol ISAKMP
2007-01-31 16:59:02: INFO: purging ISAKMP-SA spi=f6b94dba62329819:a26028074c1c50d6.
2007-01-31 16:59:02: DEBUG: call pfkey_send_dump
2007-01-31 16:59:02: DEBUG: an undead schedule has been deleted.
2007-01-31 16:59:02: DEBUG: IV freed
2007-01-31 16:59:02: INFO: purged IPsec-SA spi=3876058204. // spi=0xe707f45c
2007-01-31 16:59:02: INFO: purged IPsec-SA spi=177458389. // spi=0xa93ccd5
2007-01-31 16:59:02: INFO: purged ISAKMP-SA spi=f6b94dba62329819:a26028074c1c50d6.
2007-01-31 16:59:02: DEBUG: purged SAs.
2007-01-31 16:59:02: DEBUG: get pfkey DELETE message
2007-01-31 16:59:02: DEBUG: DELETE message is not interesting because the message was originated by me.
2007-01-31 16:59:02: DEBUG: get pfkey DELETE message
2007-01-31 16:59:02: DEBUG: DELETE message is not interesting because the message was originated by me.
2007-01-31 16:59:03: INFO: ISAKMP-SA deleted 30.0.0.104[500]-30.0.0.101[500] spi:f6b94dba62329819:a26028074c1c50d6
2007-01-31 16:59:03: DEBUG: IV freed
<-- End log snippet -->

Discussion

  • Uncle Pedro
    Uncle Pedro
    2007-01-31

    ISAKMP delete notification packet breakdown

     
  • Uncle Pedro
    Uncle Pedro
    2007-01-31

    Full log

     
    Attachments
  • Uncle Pedro
    Uncle Pedro
    2007-01-31

    Logged In: YES
    user_id=1702317
    Originator: YES

    Adding full log as attachment.
    File Added: no_p1pfs_support.log

     
  • Uncle Pedro
    Uncle Pedro
    2007-02-14

    Logged In: YES
    user_id=1702317
    Originator: YES

    I am attaching a proposed fix for this bug.
    I've tested the patch and it works for me, but I am definitely NOT sure about whether or not the call to "isakmp_ph1expire()" is a legitimate replacement for "purge_remote()".

    Thank you.
    File Added: p1delnotif-cvs.patch

     
  • Uncle Pedro
    Uncle Pedro
    2007-02-14

    Patch for processing ISAKMP Delete Notifications

     
    Attachments
  • Logged In: NO

    The patch was a liitle bit out of date, I just commited an updated version on HEAD and 0.7.

    Yvan.

     
  • Uncle Pedro
    Uncle Pedro
    2007-02-15

    Logged In: YES
    user_id=1702317
    Originator: YES

    Yvan,

    Thank you for updating it and committing it.

    For future reference, can you tell me how to make sure I don't have an out-of-date version of the source before patching? I ran `cvs -z3 -d:pserver:anonymous@ipsec-tools.cvs.sourceforge.net:/cvsroot/ipsec-tools co -P ipsec-tools` -- is this not right?

    Thanks.

     
  • Logged In: NO

    HEAD and V0.7 are hosted on NetBSD's CVS, please have a look ad ipsec-tools-devel@ archives to get more details.

    Yvan.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed