3.10. Notify Payload
3.10. Notify Payload
The Notify payload, denoted as N in this document, is used to transmit informational data, such as error conditions and state transitions, to an IKE peer. A Notify payload may appear in a response message (usually specifying why a request was rejected), in an INFORMATIONAL exchange (to report an error not in an IKE request), or in any other message to indicate sender capabilities or to modify the meaning of the request.
The Notify payload is defined as follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Security Parameter Index (SPI) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Notification Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: Notify Payload Format
-
Protocol ID (1 octet) - If this notification concerns an existing SA whose SPI is given in the SPI field, this field indicates the type of that SA. For notifications concerning Child SAs, this field MUST contain either (2) to indicate AH or (3) to indicate ESP. Of the notifications defined in this document, the SPI is included only with INVALID_SELECTORS, REKEY_SA, and CHILD_SA_NOT_FOUND. If the SPI field is empty, this field MUST be sent as zero and MUST be ignored on receipt.
-
SPI Size (1 octet) - Length in octets of the SPI as defined by the IPsec protocol ID or zero if no SPI is applicable. For a notification concerning the IKE SA, the SPI Size MUST be zero and the field must be empty.
-
Notify Message Type (2 octets) - Specifies the type of notification message.
-
SPI (variable length) - Security Parameter Index.
-
Notification Data (variable length) - Status or error data transmitted in addition to the Notify Message Type. Values for this field are type specific (see below).
The payload type for the Notify payload is forty-one (41).
3.10.1. Notify Message Types
Notification information can be error messages specifying why an SA could not be established. It can also be status data that a process managing an SA database wishes to communicate with a peer process.
The table below lists the notification messages and their corresponding values. The number of different error statuses was greatly reduced from IKEv1 both for simplification and to avoid giving configuration information to probers.
Types in the range 0 - 16383 are intended for reporting errors. An implementation receiving a Notify payload with one of these types that it does not recognize in a response MUST assume that the corresponding request has failed entirely. Unrecognized error types in a request and status types in a request or response MUST be ignored, and they should be logged.
Notify payloads with status types MAY be added to any message and MUST be ignored if not recognized. They are intended to indicate capabilities, and as part of SA negotiation, are used to negotiate non-cryptographic parameters.
More information on error handling can be found in Section 2.21.
The values in the following table are only current as of the publication date of RFC 4306, plus two error types added in this document. Other values may have been added since then or will be added after the publication of this document. Readers should refer to [IKEV2IANA] for the latest values.
| NOTIFY messages: error types | Value |
|---|---|
| UNSUPPORTED_CRITICAL_PAYLOAD | 1 |
| See Section 2.5. | |
| INVALID_IKE_SPI | 4 |
| See Section 2.21. | |
| INVALID_MAJOR_VERSION | 5 |
| See Section 2.5. | |
| INVALID_SYNTAX | 7 |
| Indicates the IKE message that was received was invalid because some type, length, or value was out of range or because the request was rejected for policy reasons. To avoid a DoS attack using forged messages, this status may only be returned for and in an encrypted packet if the Message ID and cryptographic checksum were valid. To avoid leaking information to someone probing a node, this status MUST be sent in response to any error not covered by one of the other status types. To aid debugging, more detailed error information should be written to a console or log. | |
| INVALID_MESSAGE_ID | 9 |
| See Section 2.3. | |
| INVALID_SPI | 11 |
| See Section 1.5. | |
| NO_PROPOSAL_CHOSEN | 14 |
| None of the proposed crypto suites was acceptable. This can be sent in any case where the offered proposals (including but not limited to SA payload values, USE_TRANSPORT_MODE notify, IPCOMP_SUPPORTED notify) are not acceptable for the responder. This can also be used as "generic" Child SA error when Child SA cannot be created for some other reason. See also Section 2.7. | |
| INVALID_KE_PAYLOAD | 17 |
| See Sections 1.2 and 1.3. | |
| AUTHENTICATION_FAILED | 24 |
| Sent in the response to an IKE_AUTH message when, for some reason, the authentication failed. There is no associated data. See also Section 2.21.2. | |
| SINGLE_PAIR_REQUIRED | 34 |
| See Section 2.9. | |
| NO_ADDITIONAL_SAS | 35 |
| See Section 1.3. | |
| INTERNAL_ADDRESS_FAILURE | 36 |
| See Section 3.15.4. | |
| FAILED_CP_REQUIRED | 37 |
| See Section 2.19. | |
| TS_UNACCEPTABLE | 38 |
| See Section 2.9. | |
| INVALID_SELECTORS | 39 |
| MAY be sent in an IKE INFORMATIONAL exchange when a node receives an ESP or AH packet whose selectors do not match those of the SA on which it was delivered (and that caused the packet to be dropped). The Notification Data contains the start of the offending packet (as in ICMP messages) and the SPI field of the notification is set to match the SPI of the Child SA. | |
| TEMPORARY_FAILURE | 43 |
| See Section 2.25. | |
| CHILD_SA_NOT_FOUND | 44 |
| See Section 2.25. |
| NOTIFY messages: status types | Value |
|---|---|
| INITIAL_CONTACT | 16384 |
| See Section 2.4. | |
| SET_WINDOW_SIZE | 16385 |
| See Section 2.3. | |
| ADDITIONAL_TS_POSSIBLE | 16386 |
| See Section 2.9. | |
| IPCOMP_SUPPORTED | 16387 |
| See Section 2.22. | |
| NAT_DETECTION_SOURCE_IP | 16388 |
| See Section 2.23. | |
| NAT_DETECTION_DESTINATION_IP | 16389 |
| See Section 2.23. | |
| COOKIE | 16390 |
| See Section 2.6. | |
| USE_TRANSPORT_MODE | 16391 |
| See Section 1.3.1. | |
| HTTP_CERT_LOOKUP_SUPPORTED | 16392 |
| See Section 3.6. | |
| REKEY_SA | 16393 |
| See Section 1.3.3. | |
| ESP_TFC_PADDING_NOT_SUPPORTED | 16394 |
| See Section 1.3.1. | |
| NON_FIRST_FRAGMENTS_ALSO | 16395 |
| See Section 1.3.1. |
<|tool▁calls▁begin|><|tool▁call▁begin|> StrReplace