> After second read it seems to me that there is one more obstacle to > that attack in real world. > It seems that attacker appends original initiator's SAi, KEi, Ni > payloads to its message sent to responder (as info`). So, this message > would contain two SA payloads, two KE payloads etc. I believe the > responder must return INVALID_SYNTAX in this case.
[HJ] agree, however I can't find any text in RFC7296 states responder need to reject the request and return INVALID_SYNTAX in such case; an implementation might choose to just simply ignore the subsequent redundant payload and proceed... _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
