Re: [IPsec] [Editorial Errata Reported] RFC7296 (6940)
Tero Kivinen <kivinen@iki.fi> Sat, 23 April 2022 09:05 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715273A0E69 for <ipsec@ietfa.amsl.com>; Sat, 23 Apr 2022 02:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1y6VTeEAbL1 for <ipsec@ietfa.amsl.com>; Sat, 23 Apr 2022 02:05:44 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 588163A0E16 for <ipsec@ietf.org>; Sat, 23 Apr 2022 02:05:43 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 4B66D20220; Sat, 23 Apr 2022 12:05:40 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1650704740; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RAzr+joq4MGQrxrypO/1P3eeWJHR895YNr7DR3t4JiY=; b=gos4LKVG5llH3PPk9GGgebclMdLENoavHvTZtu20+CJIurrAjz2BU33oNUz25Db/HscD0f Xakl2v82GehJK6EQPzs9j2UxEEUBxDRxhENUZqqLnvQH+TrCuaAQ12qZXS1wlNghrKC6fP nAD/upElKdFPqM676C8Ycy693Bs3h/g=
Received: by fireball.acr.fi (Postfix, from userid 15204) id D1B0F25C12E5; Sat, 23 Apr 2022 12:05:39 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <25187.49507.645124.522333@fireball.acr.fi>
Date: Sat, 23 Apr 2022 12:05:39 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "\"\\�\\�\\�\\�\\�\\�\\�\\�\\�\"" <648936027@qq.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, charliekaufman <charliekaufman@outlook.com>, "paul.hoffman" <paul.hoffman@vpnc.org>, "nir.ietf" <nir.ietf@gmail.com>, pe <pe@iki.fi>, ipsec <ipsec@ietf.org>
In-Reply-To: <tencent_0F97C6374C173CE8E64FCED2DFFDAA586206@qq.com>
References: <20220421163101.D6ECF1E65D@rfcpa.amsl.com> <25186.24443.897408.821601@fireball.acr.fi> <tencent_0F97C6374C173CE8E64FCED2DFFDAA586206@qq.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 8 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1650704740; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RAzr+joq4MGQrxrypO/1P3eeWJHR895YNr7DR3t4JiY=; b=BVjFtpSpYmCABiFzAt00oXYQjs/VDm0y+3AH5o3LpcW1A493cwm91hZe48ywT9+NIkQHZ1 yQ5R7LJb4eNZ5qFTp9PsdA2DRuAXnYz/SG36zzwK1zdyWZZWC5ityNJfR045IyeDmAH4Gd 5ckjUDxWFStUjqCkSQZiW8IP4O4GE3c=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1650704740; a=rsa-sha256; cv=none; b=af981bbNKuU+RP/VSQqrMl7kKB47N7CZE+7wGUBRNioT3S8a8He17+ouXwQysO9WXYxgcE 5O0fvLFtZy68GVGAPUjeM+gGcMB/752cBuoeiz1558zlli/NequhBtSds7Ov+5BZRAs20R 2q3D8PuaKHntA7d6GniEvPyA9NrwmjQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/54poQguUpSzGAbAFaWm5vKywSFs>
Subject: Re: [IPsec] [Editorial Errata Reported] RFC7296 (6940)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2022 09:05:50 -0000
黯乡魂 writes:
> If the Protocol ID field of the notification is zero, how to tell it is
> concerning the IKE SA or none of any SA?
We do not have any notifications concerning IKE SA that would require
SPI to be transmitted in the SPI field. As the RFC7296 says:
Of the notifications defined in this document, the SPI is
included only with INVALID_SELECTORS, REKEY_SA, and
CHILD_SA_NOT_FOUND.
and in all those cases the SPI is of SA concerning ESP or AH. The type
of notify will specify whether the notification payload is related to
the IKE SA or something else, and if it is related to the IKE SA the
SPIs can be found from the generic header, and are not repeated inside
the notification payload. I.e., the notifications for IKE SA are
transmitted inside the IKE SA that they belong to.
> I notice that RFC4306 section 3.10 gives a clear description:
>
> "For IKE_SA notifications, this field MUST be one (1). For notifications
> concerning IPsec SAs this field MUST contain either (2) to indicate AH or (3)
> to indicate ESP. For notifications that do not relate to an existing SA, this
> field MUST be sent as zero and MUST be ignored on receipt. All other values
> for this field are reserved to IANA for future assignment. "
This was not clear, and because of this in the RFC4718 (IKEv2
Clarifications and Implementation Guidelines) we had section 7.8 to
clarify this:
7.8. Protocol ID/SPI Fields in Notify Payloads
Section 3.10 says that the Protocol ID field in Notify payloads "For
notifications that do not relate to an existing SA, this field MUST
be sent as zero and MUST be ignored on receipt". However, the
specification does not clearly say which notifications are related to
existing SAs and which are not.
Since the main purpose of the Protocol ID field is to specify the
type of the SPI, our interpretation is that the Protocol ID field
should be non-zero only when the SPI field is non-empty.
There are currently only two notifications where this is the case:
INVALID_SELECTORS and REKEY_SA.
and then when we revised the RFC4306 to RFC5996 and then to RFC7296 we
incorporated this change to the main RFC. The current text is clear,
the protocol id is always zero if the SPI field is empty, the protocol
id only identifies the type of SPI inside the SPI field, the meaning
of the notification payload can be seen from the notify message type
field.
>
> ------------------ Original ------------------
> From: "Tero Kivinen" <kivinen@iki.fi>;
> Date: Fri, Apr 22, 2022 03:55 PM
> To: "RFC Errata System"<rfc-editor@rfc-editor.org>;
> Cc: "黯乡魂"<648936027@qq.com>;"charliekaufman"<charliekaufman@outlook.com>;
> "paul.hoffman"<paul.hoffman@vpnc.org>;"nir.ietf"<nir.ietf@gmail.com>;"pe"
> <pe@iki.fi>;"ipsec"<ipsec@ietf.org>;
> Subject: [Editorial Errata Reported] RFC7296 (6940)
>
> RFC Errata System writes:
> > The following errata report has been submitted for RFC7296,
> > "Internet Key Exchange Protocol Version 2 (IKEv2)".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6940
> >
> > --------------------------------------
> > Type: Editorial
> > Reported by: warren.wang <648936027@qq.com>
> >
> > Section: 3.10
> >
> > Original Text
> > -------------
> > o SPI Size (1 octet) - Length in octets of the SPI as defined by the
> > IPsec protocol ID or zero if no SPI is applicable. For a
> > notification concerning the IKE SA, the SPI Size MUST be zero and
> > the field must be empty.
> >
> >
> > Corrected Text
> > --------------
> > o SPI Size (1 octet) - Length in octets of the SPI as defined by the
> > IPsec protocol ID or zero if no SPI is applicable. For a
> > notification concerning the IKE SA, the SPI Size MUST be zero and
> > the SPI field must be empty.
> >
> >
> > Notes
> > -----
> > the field must be empty -> the SPI field must be empty
>
> This change is correct, and the errata can be verified.
>
> > so for a notification concerning the IKE SA, the Protocol ID field
> > still shall be zero?(According to the last sentence of Protocol ID
> > section:"If the SPI field is empty, this field MUST be sent as zero
> > and MUST be ignored on receipt".)
>
> Yes. For IKE SA notifications the SPI can be seen from the header,
> thus there is no point of repeating the SPIs in notify payload. The
> Protocol ID field of the notification payload indicates which type of
> SPI is inside the notification payload, thus if there is no SPI in
> there, then there is no point of having Protocol ID either.
>
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC7296 (draft-kivinen-ipsecme-ikev2-rfc5996bis-04)
> > --------------------------------------
> > Title : Internet Key Exchange Protocol Version 2 (IKEv2)
> > Publication Date : October 2014
> > Author(s) : C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, T. Kivinen
> > Category : INTERNET STANDARD
> > Source : IP Security Maintenance and Extensions
> > Area : Security
> > Stream : IETF
> > Verifying Party : IESG
>
> --
> kivinen@iki.fi
--
kivinen@iki.fi
- [IPsec] [Editorial Errata Reported] RFC7296 (6940) RFC Errata System
- Re: [IPsec] [Editorial Errata Reported] RFC7296 (… Chris Smiley
- [IPsec] [Editorial Errata Reported] RFC7296 (6940) Tero Kivinen
- Re: [IPsec] [Editorial Errata Reported] RFC7296 (… Tero Kivinen
- [IPsec] 回复:[Editorial Errata Reported] RFC7296 (6… Tero Kivinen