Re: iked support for IKEv2 Message Fragmentation (RFC 7383)

[Tim Stewart]

Hello tech@,

Here is a small initial patch related to message fragmentation. 
ikev2_msg_decrypt() claims to strip the padding from the decrypted IKE 
payloads, but actually leaves it tacked on the end of the returned ibuf. 
This is fine in the unfragmented case since the inner payloads have 
their own lengths, but it is awkward to use the returned ibuf directly 
as input to a fragment queue.


The patch below sets the proper size on the returned ibuf.  The code 
still functions well for me even in the unfragmented case.


-TimS

Index: ikev2_msg.c
===
RCS file: /cvs/src/sbin/iked/ikev2_msg.c,v
retrieving revision 1.53
diff -u -p -u -p -r1.53 ikev2_msg.c
--- ikev2_msg.c 27 Nov 2017 18:39:35 -  1.53
+++ ikev2_msg.c 18 Jul 2018 00:18:45 -
@@ -616,7 +616,7 @@ ikev2_msg_decrypt(struct iked *env, stru
__func__, outlen, encrlen, pad);
print_hex(ibuf_data(out), 0, ibuf_size(out));

-   if (ibuf_setsize(out, outlen) != 0)
+   if (ibuf_setsize(out, outlen - pad - 1) != 0)
goto done;

ibuf_release(src);

iked support for IKEv2 Message Fragmentation (RFC 7383)

[Tim Stewart]

Hello tech@,

My IKEv2 sessions are occasionally down due to transit networks dropping
UDP fragments for one reason or another[1].  It happens frequently
enough that I am considering implementing support for RFC 7383 in iked.

Before I dig in, I feel that I should ask if anyone has already started
on such work.  If not, perhaps someone that is familiar with the code
could suggest an approach at a high level?

Thanks for any advice,

-TimS


[1] Whenver I've asked, the reason is usually something about DDoS
prevention.

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org