IETF Logo Mail Archive

[IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD

Avishek Ganguly <aganguly@ixiacom.com> Mon, 01 September 2014 04:28 UTC

Return-Path: <aganguly@ixiacom.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB3A11A9105 for <ipsec@ietfa.amsl.com>; Sun, 31 Aug 2014 21:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxPQFOPV7z2g for <ipsec@ietfa.amsl.com>; Sun, 31 Aug 2014 21:28:27 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0184.outbound.protection.outlook.com [207.46.163.184]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298E31A6F85 for <ipsec@ietf.org>; Sun, 31 Aug 2014 21:28:26 -0700 (PDT)
Received: from DM2PR0601MB713.namprd06.prod.outlook.com (10.242.115.155) by DM2PR0601MB714.namprd06.prod.outlook.com (10.242.115.156) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Mon, 1 Sep 2014 04:28:23 +0000
Received: from DM2PR0601MB713.namprd06.prod.outlook.com ([10.242.115.155]) by DM2PR0601MB713.namprd06.prod.outlook.com ([10.242.115.155]) with mapi id 15.00.1015.018; Mon, 1 Sep 2014 04:28:24 +0000
From: Avishek Ganguly <aganguly@ixiacom.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
Thread-Index: Ac/FnSWEFTen3/ebTi+t+niQ7k32vQ==
Date: Mon, 01 Sep 2014 04:28:23 +0000
Message-ID: <f349616c76c3467a95239d459bb4fb01@DM2PR0601MB713.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [121.242.14.67]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 03218BFD9F
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199003)(95666004)(107046002)(99286002)(90102001)(33646002)(99396002)(50986999)(2351001)(54356999)(229853001)(110136001)(76576001)(31966008)(92566001)(74316001)(561944003)(2501002)(106356001)(16236675004)(105586002)(108616004)(15202345003)(15975445006)(66066001)(80022001)(79102001)(74662001)(46102001)(87936001)(85306004)(4396001)(76482001)(2656002)(21056001)(19580395003)(74502001)(86362001)(19625215002)(85852003)(19300405004)(83322001)(20776003)(81342001)(83072002)(101416001)(64706001)(77982001)(81542001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:DM2PR0601MB714; H:DM2PR0601MB713.namprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_f349616c76c3467a95239d459bb4fb01DM2PR0601MB713namprd06p_"
MIME-Version: 1.0
X-OriginatorOrg: ixiacom.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: DM2PR0601MB713.namprd06.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 121.242.14.67
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: DM2PR0601MB714.namprd06.prod.outlook.com
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/I2BcdJzT12Rkol48HO1WDMDxSVU
Cc: Avishek Ganguly <aganguly@ixiacom.com>
Subject: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Sep 2014 04:28:28 -0000

Hello,

I have questions regarding use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD in IKE_SA_INIT exchange in RFC 5996 IKEv2.
According to
"Section 3.10.1.  Notify Message Types
NO_PROPOSAL_CHOSEN                       14
      None of the proposed crypto suites was acceptable.  This can be
      sent in any case where the offered proposals (including but not
      limited to SA payload values, USE_TRANSPORT_MODE notify,
      IPCOMP_SUPPORTED notify) are not acceptable for the responder.
"
according to the above statement it is meant that if initiator sends a proposal with a Diffie-Hellman group value that is unacceptable by the responder, then responder must send a NO_PROPOSAL_CHOSEN notification.

But according to
"Section 1.2. The Initial Exchanges
Because the initiator sends its Diffie-Hellman value in the
   IKE_SA_INIT, it must guess the Diffie-Hellman group that the
   responder will select from its list of supported groups.  If the
   initiator guesses wrong, the responder will respond with a Notify
   payload of type INVALID_KE_PAYLOAD indicating the selected group.
"
>From the INVALID_KE_PAYLOAD description stated above means that NO_PROPOSAL_CHOSEN case is exclusive of this INVALID_KE_PAYLOAD.

Is it right interpretation of the above two error types ?

Thanks and Regards,
Avishek

v2.23.0 | Report a Bug | By Email