summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2004-06-20 15:20:08 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2004-06-20 15:20:08 +0000
commitdce4168d7b1745fda1db84e6b445d6e2141503cf (patch)
treeb495fa37143cca64ef7b87e8968ae2e5e810d55f
parent7eae99d8d182ff2614e5ec769d2cbea4b8552c0a (diff)
A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706
-rw-r--r--sbin/isakmpd/dpd.c354
-rw-r--r--sbin/isakmpd/dpd.h42
-rw-r--r--sbin/isakmpd/exchange.c19
-rw-r--r--sbin/isakmpd/features/dpd27
-rw-r--r--sbin/isakmpd/isakmp_num.cst20
-rw-r--r--sbin/isakmpd/sa.h12
6 files changed, 461 insertions, 13 deletions
diff --git a/sbin/isakmpd/dpd.c b/sbin/isakmpd/dpd.c
new file mode 100644
index 00000000000..6cc52ac17e7
--- /dev/null
+++ b/sbin/isakmpd/dpd.c
@@ -0,0 +1,354 @@
+/* $OpenBSD: dpd.c,v 1.1 2004/06/20 15:20:06 ho Exp $ */
+
+/*
+ * Copyright (c) 2004 Håkan Olsson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <stdlib.h>
+
+#include "sysdep.h"
+
+#include "dpd.h"
+#include "exchange.h"
+#include "ipsec.h"
+#include "isakmp_fld.h"
+#include "log.h"
+#include "message.h"
+#include "sa.h"
+#include "timer.h"
+#include "util.h"
+
+/* From RFC 3706. */
+#define DPD_MAJOR 0x01
+#define DPD_MINOR 0x00
+#define DPD_SEQNO_SZ 4
+
+static const char dpd_vendor_id[] = {
+ 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, /* RFC 3706 */
+ 0xC9, 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57,
+ DPD_MAJOR,
+ DPD_MINOR
+};
+
+int16_t script_dpd[] = {
+ ISAKMP_PAYLOAD_NOTIFY, /* Initiator -> responder. */
+ ISAKMP_PAYLOAD_HASH,
+ EXCHANGE_SCRIPT_SWITCH,
+ ISAKMP_PAYLOAD_NOTIFY, /* Responder -> initiator. */
+ ISAKMP_PAYLOAD_HASH,
+ EXCHANGE_SCRIPT_END
+};
+
+static int dpd_initiator_send_notify(struct message *);
+static int dpd_initiator_recv_ack(struct message *);
+static int dpd_responder_recv_notify(struct message *);
+static int dpd_responder_send_ack(struct message *);
+static void dpd_event(void *);
+
+int (*isakmp_dpd_initiator[])(struct message *) = {
+ dpd_initiator_send_notify,
+ dpd_initiator_recv_ack
+};
+
+int (*isakmp_dpd_responder[])(struct message *) = {
+ dpd_responder_recv_notify,
+ dpd_responder_send_ack
+};
+
+/* Add the DPD VENDOR ID payload. */
+int
+dpd_add_vendor_payload(struct message *msg)
+{
+ u_int8_t *buf;
+ size_t buflen = sizeof dpd_vendor_id + ISAKMP_GEN_SZ;
+
+ buf = malloc(buflen);
+ if (!buf) {
+ log_error("dpd_add_vendor_payload: malloc(%lu) failed",
+ (unsigned long)buflen);
+ return -1;
+ }
+
+ SET_ISAKMP_GEN_LENGTH(buf, buflen);
+ memcpy(buf + ISAKMP_VENDOR_ID_OFF, dpd_vendor_id,
+ sizeof dpd_vendor_id);
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
+ free(buf);
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Check an incoming message for DPD capability markers.
+ */
+void
+dpd_check_vendor_payload(struct message *msg, struct payload *p)
+{
+ u_int8_t *pbuf = p->p;
+ size_t vlen;
+
+ /* Already checked? */
+ if (msg->exchange->flags & EXCHANGE_FLAG_DPD_CAP_PEER) {
+ /* Just mark it as handled and return. */
+ p->flags |= PL_MARK;
+ return;
+ }
+
+ vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
+ if (vlen != sizeof dpd_vendor_id) {
+ LOG_DBG((LOG_EXCHANGE, 90,
+ "dpd_check_vendor_payload: bad size %d != %d", vlen,
+ sizeof dpd_vendor_id));
+ return;
+ }
+
+ if (memcmp(dpd_vendor_id, pbuf + ISAKMP_GEN_SZ, vlen) == 0) {
+ /* This peer is DPD capable. */
+ msg->exchange->flags |= EXCHANGE_FLAG_DPD_CAP_PEER;
+ LOG_DBG((LOG_EXCHANGE, 10, "dpd_check_vendor_payload: "
+ "DPD capable peer detected"));
+ p->flags |= PL_MARK;
+ return;
+ }
+
+ return;
+}
+
+static int
+dpd_add_notify(struct message *msg, u_int16_t type, u_int32_t seqno)
+{
+ struct sa *isakmp_sa = msg->isakmp_sa;
+ char *buf;
+ u_int32_t buflen;
+
+ if (!isakmp_sa) {
+ log_print("dpd_add_notify: no isakmp_sa");
+ return -1;
+ }
+
+ buflen = ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN + DPD_SEQNO_SZ;
+ buf = malloc(buflen);
+ if (!buf) {
+ log_error("dpd_add_notify: malloc(%d) failed",
+ ISAKMP_NOTIFY_SZ + DPD_SEQNO_SZ);
+ return -1;
+ }
+
+ SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC);
+ SET_ISAKMP_NOTIFY_PROTO(buf, ISAKMP_PROTO_ISAKMP);
+ SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN);
+ SET_ISAKMP_NOTIFY_MSG_TYPE(buf, type);
+ memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies,
+ ISAKMP_HDR_COOKIES_LEN);
+
+ memcpy(buf + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &seqno,
+ sizeof (u_int32_t));
+
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf, buflen, 1)) {
+ free(buf);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int
+dpd_initiator_send_notify(struct message *msg)
+{
+ if (!msg->isakmp_sa) {
+ log_print("dpd_initiator_send_notify: no isakmp_sa");
+ return -1;
+ }
+
+ if (msg->isakmp_sa->dpd_seq == 0) {
+ /* RFC 3706: first seq# should be random, with MSB zero. */
+ getrandom((u_int8_t *)&msg->isakmp_sa->seq,
+ sizeof msg->isakmp_sa->seq);
+ msg->isakmp_sa->dpd_seq &= 0x7FFF;
+ } else
+ msg->isakmp_sa->dpd_seq++;
+
+ return dpd_add_notify(msg, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE,
+ msg->isakmp_sa->dpd_seq);
+}
+
+static int
+dpd_initiator_recv_ack(struct message *msg)
+{
+ struct payload *p =
+ TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]);
+ struct sa *isakmp_sa = msg->isakmp_sa;
+ struct timeval tv;
+ u_int32_t rseq;
+
+ if (msg->exchange->phase != 2) {
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1,
+ 0);
+ return -1;
+ }
+
+ if (GET_ISAKMP_NOTIFY_MSG_TYPE(p->p)
+ != ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK) {
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ return -1;
+ }
+
+ /* Presumably, we've been through message_validate_notify(). */
+
+ /* Validate the SPI. Perhaps move to message_validate_notify(). */
+ if (memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies,
+ ISAKMP_HDR_COOKIES_LEN) != 0) {
+ log_print("dpd_initiator_recv_ack: bad cookies");
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_SPI, 0, 1, 0);
+ return -1;
+ }
+
+ /* Check the seqno. */
+ memcpy(p->p + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &rseq,
+ sizeof rseq);
+ rseq = ntohl(rseq);
+
+ if (isakmp_sa->seq != rseq) {
+ log_print("dpd_initiator_recv_ack: bad seqno %u, expected %u",
+ rseq, isakmp_sa->seq);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ return -1;
+ }
+
+ /* Peer is alive. Reset timer. */
+ gettimeofday(&tv, 0);
+ tv.tv_sec += DPD_DEFAULT_WORRY_METRIC; /* XXX Configurable */
+
+ isakmp_sa->dpd_nextev = timer_add_event("dpd_event", dpd_event,
+ isakmp_sa, &tv);
+ if (!isakmp_sa->dpd_nextev)
+ log_print("dpd_initiator_recv_ack: timer_add_event "
+ "failed");
+ else
+ sa_reference(isakmp_sa);
+
+ /* Mark handled. */
+ p->flags |= PL_MARK;
+
+ return 0;
+}
+
+static int
+dpd_responder_recv_notify(struct message *msg)
+{
+ struct payload *p =
+ TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]);
+ struct sa *isakmp_sa = msg->isakmp_sa;
+ struct timeval tv;
+ u_int32_t rseq;
+
+ if (msg->exchange->phase != 2) {
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1,
+ 0);
+ return -1;
+ }
+
+ if (GET_ISAKMP_NOTIFY_MSG_TYPE(p->p) !=
+ ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE) {
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ return -1;
+ }
+
+ /* Presumably, we've gone through message_validate_notify(). */
+ /* XXX */
+
+ /* Validate the SPI. Perhaps move to message_validate_notify(). */
+ if (memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies,
+ ISAKMP_HDR_COOKIES_LEN) != 0) {
+ log_print("dpd_initiator_recv_notify: bad cookies");
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_SPI, 0, 1, 0);
+ return -1;
+ }
+
+ /* Get the seqno. */
+ memcpy(p->p + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &rseq,
+ sizeof rseq);
+ rseq = ntohl(rseq);
+
+ /* Check increasing seqno. */
+ if (rseq <= isakmp_sa->dpd_rseq) {
+ log_print("dpd_initiator_recv_notify: bad seqno (%u <= %u)",
+ rseq, isakmp_sa->dpd_rseq);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ return -1;
+ }
+ isakmp_sa->dpd_rseq = rseq;
+
+ /*
+ * Ok, now we know the peer is alive, in case we're wondering.
+ * If so, reset timers, etc... here.
+ */
+ if (isakmp_sa->dpd_nextev) {
+ timer_remove_event(isakmp_sa->dpd_nextev);
+ sa_release(isakmp_sa);
+
+ gettimeofday(&tv, 0);
+ tv.tv_sec += DPD_DEFAULT_WORRY_METRIC; /* XXX Configurable */
+
+ isakmp_sa->dpd_nextev = timer_add_event("dpd_event", dpd_event,
+ isakmp_sa, &tv);
+ if (!isakmp_sa->dpd_nextev)
+ log_print("dpd_responder_recv_notify: timer_add_event "
+ "failed");
+ else
+ sa_reference(isakmp_sa);
+ }
+
+ /* Mark handled. */
+ p->flags |= PL_MARK;
+
+ return 0;
+}
+
+static int
+dpd_responder_send_ack(struct message *msg)
+{
+ if (!msg->isakmp_sa)
+ return -1;
+
+ return dpd_add_notify(msg, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK,
+ msg->isakmp_sa->dpd_rseq);
+}
+
+static void
+dpd_event(void *v_sa)
+{
+ struct sa *sa = v_sa;
+
+ sa->dpd_nextev = 0;
+ sa_release(sa);
+
+ if ((sa->flags & SA_FLAG_DPD) == 0)
+ return;
+
+ /* Create a new DPD exchange. XXX */
+}
+
diff --git a/sbin/isakmpd/dpd.h b/sbin/isakmpd/dpd.h
new file mode 100644
index 00000000000..6b6f1210deb
--- /dev/null
+++ b/sbin/isakmpd/dpd.h
@@ -0,0 +1,42 @@
+/* $OpenBSD: dpd.h,v 1.1 2004/06/20 15:20:06 ho Exp $ */
+
+/*
+ * Copyright (c) 2004 Håkan Olsson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _DPD_H_
+#define _DPD_H_
+
+#define DPD_DEFAULT_WORRY_METRIC 300 /* seconds */
+
+struct message;
+struct payload;
+
+int dpd_add_vendor_payload(struct message *);
+void dpd_check_vendor_payload(struct message *, struct payload *);
+
+extern int (*isakmp_dpd_initiator[])(struct message *);
+extern int (*isakmp_dpd_responder[])(struct message *);
+extern int16_t script_dpd[];
+
+#endif /* _DPD_H_ */
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index 12f5080de82..3e37e670f73 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.c,v 1.96 2004/06/14 09:55:41 ho Exp $ */
+/* $OpenBSD: exchange.c,v 1.97 2004/06/20 15:20:06 ho Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
@@ -47,6 +47,9 @@
#include "cookie.h"
#include "crypto.h"
#include "doi.h"
+#ifdef USE_DPD
+#include "dpd.h"
+#endif
#include "exchange.h"
#include "ipsec_num.h"
#include "isakmp.h"
@@ -187,6 +190,10 @@ exchange_script(struct exchange *exchange)
case ISAKMP_EXCH_TRANSACTION:
return script_transaction;
#endif
+#ifdef USE_DPD
+ case ISAKMP_EXCH_DPD:
+ return script_dpd;
+#endif
default:
if (exchange->type >= ISAKMP_EXCH_DOI_MIN &&
exchange->type <= ISAKMP_EXCH_DOI_MAX)
@@ -847,9 +854,10 @@ exchange_establish_p1(struct transport *t, u_int8_t type, u_int32_t doi,
}
msg->exchange = exchange;
- /* Do not create SA for an information or transaction exchange. */
+ /* Do not create SA for an information, transaction or DPD exchange. */
if (exchange->type != ISAKMP_EXCH_INFO
- && exchange->type != ISAKMP_EXCH_TRANSACTION) {
+ && exchange->type != ISAKMP_EXCH_TRANSACTION
+ && exchange->type != ISAKMP_EXCH_DPD) {
/*
* Don't install a transport into this SA as it will be an
* INADDR_ANY address in the local end, which is not good at
@@ -955,8 +963,9 @@ exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name,
* Do not create SA's for informational exchanges.
* XXX How to handle new group mode?
*/
- if (exchange->type != ISAKMP_EXCH_INFO
- && exchange->type != ISAKMP_EXCH_TRANSACTION) {
+ if (exchange->type != ISAKMP_EXCH_INFO &&
+ exchange->type != ISAKMP_EXCH_TRANSACTION &&
+ exchange->type != ISAKMP_EXCH_DPD) {
/* XXX Number of SAs should come from the args structure. */
for (i = 0; i < 1; i++)
if (sa_create(exchange, isakmp_sa->transport)) {
diff --git a/sbin/isakmpd/features/dpd b/sbin/isakmpd/features/dpd
new file mode 100644
index 00000000000..155ce682407
--- /dev/null
+++ b/sbin/isakmpd/features/dpd
@@ -0,0 +1,27 @@
+# $OpenBSD: dpd,v 1.1 2004/06/20 15:20:07 ho Exp $
+
+#
+# Copyright (c) 2004 Håkan Olsson. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+DPD= dpd.c
diff --git a/sbin/isakmpd/isakmp_num.cst b/sbin/isakmpd/isakmp_num.cst
index 5f759a08a1f..24d994abbfa 100644
--- a/sbin/isakmpd/isakmp_num.cst
+++ b/sbin/isakmpd/isakmp_num.cst
@@ -1,4 +1,4 @@
-# $OpenBSD: isakmp_num.cst,v 1.8 2004/04/28 14:40:00 ho Exp $
+# $OpenBSD: isakmp_num.cst,v 1.9 2004/06/20 15:20:07 ho Exp $
# $EOM: isakmp_num.cst,v 1.3 2000/05/17 03:09:50 angelos Exp $
#
@@ -31,8 +31,8 @@
# XXX Please fill in references to the drafts, chapter & verse for each
# constant group below.
-# Also think about ranges, can they be specified diferently? Can we use
-# these constants for vlidity checks?
+# Also think about ranges, can they be specified differently? Can we use
+# these constants for validity checks?
# ISAKMP payload type.
ISAKMP_PAYLOAD
@@ -50,16 +50,19 @@ ISAKMP_PAYLOAD
NOTIFY 11
DELETE 12
VENDOR 13
-# XXX the following is not quite legitimate according to the IETF process
+# XXX the following are not quite legitimate according to the IETF process
ATTRIBUTE 14 # IKE Mode-Config attribute
- RESERVED_MIN 15 # XXX For now
SAK 15 # RFC 3547, SA KEK Payload
SAT 16 # RFC 3547, SA TEK Payload
KD 17 # RFC 3547, Key Download
SEQ 18 # RFC 3547, Sequence Number
POP 19 # RFC 3547, Proof of possession
+ RESERVED_MIN 20
RESERVED_MAX 127
PRIVATE_MIN 128
+# XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
+# XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
+# XXX 3547 as seen above.
NAT_D 130 # NAT Discovery payload
NAT_OA 131 # NAT Original Address payload
PRIVATE_MAX 255
@@ -73,9 +76,10 @@ ISAKMP_EXCH
AUTH_ONLY 3
AGGRESSIVE 4
INFO 5
-# XXX the following is not quite legitimate according to the IETF process
+# XXX the following are not quite legitimate according to the IETF process
TRANSACTION 6
- FUTURE_MIN 7
+ DPD 7
+ FUTURE_MIN 8
FUTURE_MAX 31
DOI_MIN 32
DOI_MAX 255
@@ -150,6 +154,8 @@ ISAKMP_NOTIFY
STATUS_DOI_MIN 24576
STATUS_DOI_MAX 32767
STATUS_PRIVATE_MIN 32768
+ STATUS_DPD_R_U_THERE 36136
+ STATUS_DPD_R_U_THERE_ACK 36137
STATUS_PRIVATE_MAX 40959
STATUS_RESERVED2_MIN 40960
STATUS_RESERVED2_MAX 65535
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index fdf2323c644..ee3efd00559 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.37 2004/05/23 18:17:56 hshoexer Exp $ */
+/* $OpenBSD: sa.h,v 1.38 2004/06/20 15:20:07 ho Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -203,6 +203,13 @@ struct sa {
/* The events that will occur when an SA has timed out. */
struct event *soft_death;
struct event *death;
+
+#if defined (USE_DPD)
+ /* IKE DPD (RFC3706) message sequence number. */
+ u_int32_t dpd_seq; /* sent */
+ u_int32_t dpd_rseq; /* recieved */
+ struct event *dpd_nextev; /* time of next event */
+#endif
};
/* This SA is alive. */
@@ -226,6 +233,9 @@ struct sa {
/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */
#define SA_FLAG_IKECFG 0x40
+/* This SA flag indicates if we should do DPD with the phase 1 SA peer. */
+#define SA_FLAG_DPD 0x80
+
extern void proto_free(struct proto * proto);
extern int sa_add_transform(struct sa *, struct payload *, int,
struct proto **);