Just because the RFC states that critical shouldn't be set in a reply, that isn't reason for removing our ability to do it and on a per-notify basis - after all that is what fuzz testing is all about.
On Fri, 21 Dec 2018 at 11:35, Paul Wouters <[email protected]> wrote: > > New commits: > commit ca6287c54c8e87eec5975b46618ca44b9712499d > Author: Paul Wouters <[email protected]> > Date: Fri Dec 21 11:33:38 2018 -0500 > > Revert "Revert "pluto: emit_v2N's "critical" parameter since it was > identical in each call"" > > This reverts commit 526a3c46693bdd521fbe4c739a33c4e8f5ce89c8. > > Hugh was actually right, as per RFC 7296: > > IKEv2 adds a "critical" flag to each payload header for further > flexibility for forward compatibility. If the critical flag is set > and the payload type is unrecognized, the message MUST be rejected > and the response to the IKE request containing that payload MUST > include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an > unsupported critical payload was included. In that Notify payload, > the Notification Data contains the one-octet payload type. If the > critical flag is not set and the payload type is unsupported, that > payload MUST be ignored. Payloads sent in IKE response messages > MUST NOT have the critical flag set. Note that the critical flag > applies only to the payload type, not the contents. If the payload > type is recognized, but the payload contains something that is not > (such as an unknown transform inside an SA payload, or an unknown > Notify Message Type inside a Notify payload), the critical flag is > ignored. > > So I guess this actually means, since we all must understand the Notify > type payload, even if we dont understand the content (notify type + > payload), so all notify payloads do NOT set the critical flag. > > _______________________________________________ > Swan-commit mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-commit _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
