Hi Jean-Francois,
When receiving an informational packet with a notify payload for
INVALID_SPI, the initiator SPI of the IKE header can be 0
(https://www.rfc-editor.org/rfc/rfc4718#section-7.7).
Please refer to RFC 7296 for IKEv2, this clarification has been
incorporated into section 1.5 there.
However when
building without mediation support, this kind of IKE header is rejected.
Maybe this check can delayed for later for INFORMATIONAL exchange when
the next payload was parsed.
Any thought about this ?
We currently don't support INVALID_SPI notifies at all (or parsing
unprotected INFORMATIONAL requests outside of an IKE_SA for that
matter), so I don't see the need to change anything at the moment.
Regards,
Tobias
