On 2017/06/25 21:44, Tim Stewart wrote: > My first patch did, in fact, break Child SAs rekeying. I have a new > patch at the end of this message that simply restricts DH group > negotiation to IKE SAs (I *think* that DH group guessing only applies to > IKE SAs, and perhaps only the IKE_SA_INIT exchange, but I'm still > working through the RFC). This may not be the ultimate solution, but it > does allow us to move forward.
Reading RFC 7296 it looks like throwing INVALID_KE_PAYLOAD is fine for both establishing the IKE SA and rekeying the Child SAs. If we select a proposal from the msg that uses a different DH group than the one that's used in the KEi (in the same msg) we need to throw INVALID_KE_PAYLOAD. Since all messages subsequent to the initial exchange must be encrypted, the INVALID_KE_PAYLOAD message on rekeying Child SAs must be encrypted. Apparently with the previous diff the Child SA rekeying failed. This is because the code sends the INVALID_KE_PAYLOAD response unencrypted. Also I have found inconsistencies in handling INVALID_KE_PAYLOAD with us acting as initiator. I will take a look at both cases and will follow up. Patrick
