[IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX
Tero Kivinen <kivinen@iki.fi> Sat, 22 June 2019 10:03 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FE7120048 for <ipsec@ietfa.amsl.com>; Sat, 22 Jun 2019 03:03:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSB5e2Cr6_OG for <ipsec@ietfa.amsl.com>; Sat, 22 Jun 2019 03:03:49 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9D2012006F for <ipsec@ietf.org>; Sat, 22 Jun 2019 03:03:48 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x5MA3kYA010233 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 22 Jun 2019 13:03:46 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x5MA3k5f020157; Sat, 22 Jun 2019 13:03:46 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23821.64770.290809.680244@fireball.acr.fi>
Date: Sat, 22 Jun 2019 13:03:46 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1906200940420.9218@bofh.nohats.ca>
References: <alpine.LRH.2.21.1906200940420.9218@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 7 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/PaMJ8DfX_LHyRsTEeKpAaI18HGI>
Subject: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 10:03:51 -0000
Paul Wouters writes: > NO_PROPOSAL_CHOSEN can be interpreted as "no proposal from the IKE/IPsec > proposal list matches due to all proposals having at least one mismatching > transform" versus "no matching ike connection for your IKE proposal" > where proposal refers to the entire IKE proposal, not the proposals > list with transforms. Note, that this includes cases where the list of acceptable proposals is EMPTY because you do not allow any connections from that host. > INVALID_SYNTAX can be interpreted as "malformed packet" but the RFC text > uses this as the "if all other errors dont match, use this one" so you > can end up returning this even if there is no invalid syntax at all. If both implementations work correctly you should NEVER send INVALID_SYNTAX error. That always means there is programming error in one of the implementations. > So if your IPsec gateway only has static IP based VPNs and an unknown IP > connects, some feel NO_PROPOSAL_CHOSEN conveys that, while technically, > even though there is no invalid syntax in that proposal, the RFC states > we should return INVALID_SYNTAX. Correct error code is NO_PROPOSAL_CHOSEN as you use unknown IP to do policy lookup, find empty list of acceptable proposals to match against what other end sent, and of course empty list does not match, so you do not have any proposal that matches, meaning you return NO_PROPOSAL_CHOSEN. > Similarly, if during IKE_AUTH you are finding out there is no IPsec > configuration that matches the incoming client, there is no "proposal > list" to compare, so while NO_PROPOSAL_CHOSEN feels a more natural > match, should we really return INVALID_SYNTAX despite there being no > syntax problem? That is what the RFC says. In that case you do have proposal list, but that list is empty. And empty list does not match and you return NO_PROPOSAL_CHOSEN. > I guess in the end, we are really missing a "CONNECTION_REJECTED" > notify that would cover all the things not covered in the more specific > notifies. We discussed this, but decided that we want to keep error codes limited, not to leak out information what is wrong in the configuration. So you get same NO_PROPOSAL_CHOSEN error notification regardless whether your algorithm list does not match, or whether the ip is unknown, or whether the identity of the other end is unknown. > What do other implementations do? Should we clarify this anywhere? Use NO_PROPOSAL_CHOSEN every time if there is something that could be fixed by changing configuration in implementations. Use INVALID_SYNTAX if error is something that is against RFC, and even if configuration is changed you can never accept such message ever. For example if whole SA payload is missing you send INVALID_SYNTAX, if some mandatory transform types are missing that is NO_PROPOSAL_CHOSEN. > libreswan was using NO_PROPOSAL_CHOSEN for most of these, but is now > slated to be more strict to the RFC and use INVALID_SYNTAX. (and > clearly, I'm not happy about it but it seems the RFC dictates this) No, the RFC does not dictate that. -- kivinen@iki.fi
- [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Paul Wouters
- Re: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Valery Smyslov
- Re: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Tommy Pauly
- Re: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Michael Richardson
- Re: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Yoav Nir
- [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Tero Kivinen
- Re: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX Paul Wouters