On Thu, 1 Nov 2018 at 17:36, Andrew Cagney <[email protected]> wrote: > > Reading https://tools.ietf.org/html/rfc7296#section-2.9 I get the > feeling that the traffic selectors in the TSi/TSr payloads are always > paired - TSi[n] goes with TSr[n]. The examples, for instance, do > this. And without matching pairs things struggle to make sense. > However, I couldn't find text clearly spelling this out. Perhaps I'm > missing something. > > This would mean code should check elemsof(TSi) == elemsof(TSr).
I still think this is true, strongswan disagrees. In interop-ikev2-strongswan-39-mobike-responder pluto sends a single pair of traffic selectors: | ****emit IKEv2 Traffic Selector - Initiator - Payload: | number of TS: 1 (0x1) | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | ipv4 start 00 00 00 00 | ipv4 end ff ff ff ff | ****emit IKEv2 Traffic Selector - Responder - Payload: | number of TS: 1 (0x1) | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | ipv4 start c0 00 02 00 | ipv4 end c0 00 02 ff but strongswan comes back with: proposing traffic selectors for us: 192.0.2.0/24 proposing traffic selectors for other: 192.0.3.1/32 192.0.3.2/32 as in: | **parse IKEv2 Traffic Selector - Initiator - Payload: | number of TS: 2 (0x2) | TS: parse initiator traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | ipv4 ts low c0 00 03 01 | ipv4 ts high c0 00 03 01 | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | ipv4 ts low c0 00 03 02 | ipv4 ts high c0 00 03 02 | TS: parsed 2 TS payloads | **parse IKEv2 Traffic Selector - Responder - Payload: | number of TS: 1 (0x1) | TS: parse responder traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | ipv4 ts low c0 00 02 00 | ipv4 ts high c0 00 02 ff | TS: parsed 1 TS payloads which with "ikev2 ts: group paired traffic selectors in a single structure" gets rejected. (and this cascades eventually cause a core dump because the initiator has an authenticated parent with no child). _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
