[Ipsec-tools-devel] Handling authentification error messages
Brought to you by:
mit_warlord,
netbsd
From: Alexander S. <ale...@gm...> - 2013-07-12 16:10:24
|
Looking why racoon do nothing but complain into log about "AUTHENTICATION-FAILED" messages i've found next code inside isakmp_info_recv_n(): /* If we receive a error notification we should delete the related * phase1 / phase2 handle, and send an event to racoonctl. * However, since phase1 error notifications are not encrypted and * can not be authenticated, it would allow a DoS attack possibility * to handle them. * Phase2 error notifications should be encrypted, so we could handle * those, but it needs implementing (the old code didn't implement * that either). * So we are good to just log the messages here. */ if (encrypted) isakmp_log_notify(iph1, notify, "informational exchange"); else isakmp_log_notify(iph1, notify, "unencrypted informational exchange"); Ignoring unprotected messages looks quite reasonable to me. But checking for "encrypted" flag in place there messages supposed to be unencrypted confuse me. I suppose not all error messages from phase 1 came unprotected. At least AUTHENTICATION-FAILED message from Main mode with certificate auth expected to be encrypted. I am willing to try and implement handler for at least part of encrypted errors but asking if there is some over reasons (not covered by comment in the code) preventing of errors handling. |