IETF Logo Mail Archive

[IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX

Tero Kivinen <kivinen@iki.fi> Sat, 22 June 2019 10:03 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FE7120048 for <ipsec@ietfa.amsl.com>; Sat, 22 Jun 2019 03:03:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSB5e2Cr6_OG for <ipsec@ietfa.amsl.com>; Sat, 22 Jun 2019 03:03:49 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9D2012006F for <ipsec@ietf.org>; Sat, 22 Jun 2019 03:03:48 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x5MA3kYA010233 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 22 Jun 2019 13:03:46 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x5MA3k5f020157; Sat, 22 Jun 2019 13:03:46 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23821.64770.290809.680244@fireball.acr.fi>
Date: Sat, 22 Jun 2019 13:03:46 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1906200940420.9218@bofh.nohats.ca>
References: <alpine.LRH.2.21.1906200940420.9218@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 7 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/PaMJ8DfX_LHyRsTEeKpAaI18HGI>
Subject: [IPsec] NO_PROPOSAL_CHOSEN vs INVALID_SYNTAX
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 10:03:51 -0000

Paul Wouters writes:
> NO_PROPOSAL_CHOSEN can be interpreted as "no proposal from the IKE/IPsec
> proposal list matches due to all proposals having at least one mismatching
> transform" versus "no matching ike connection for your IKE proposal"
> where proposal refers to the entire IKE proposal, not the proposals
> list with transforms.

Note, that this includes cases where the list of acceptable proposals
is EMPTY because you do not allow any connections from that host. 

> INVALID_SYNTAX can be interpreted as "malformed packet" but the RFC text
> uses this as the "if all other errors dont match, use this one" so you
> can end up returning this even if there is no invalid syntax at all.

If both implementations work correctly you should NEVER send
INVALID_SYNTAX error. That always means there is programming error in
one of the implementations. 

> So if your IPsec gateway only has static IP based VPNs and an unknown IP
> connects, some feel NO_PROPOSAL_CHOSEN conveys that, while technically,
> even though there is no invalid syntax in that proposal, the RFC states
> we should return INVALID_SYNTAX.

Correct error code is NO_PROPOSAL_CHOSEN as you use unknown IP to do
policy lookup, find empty list of acceptable proposals to match
against what other end sent, and of course empty list does not match,
so you do not have any proposal that matches, meaning you return
NO_PROPOSAL_CHOSEN.

> Similarly, if during IKE_AUTH you are finding out there is no IPsec
> configuration that matches the incoming client, there is no "proposal
> list" to compare, so while NO_PROPOSAL_CHOSEN feels a more natural
> match, should we really return INVALID_SYNTAX despite there being no
> syntax problem? That is what the RFC says.

In that case you do have proposal list, but that list is empty. And
empty list does not match and you return NO_PROPOSAL_CHOSEN. 

> I guess in the end, we are really missing a "CONNECTION_REJECTED"
> notify that would cover all the things not covered in the more specific
> notifies.

We discussed this, but decided that we want to keep error codes
limited, not to leak out information what is wrong in the
configuration. So you get same NO_PROPOSAL_CHOSEN error notification
regardless whether your algorithm list does not match, or whether the
ip is unknown, or whether the identity of the other end is unknown. 

> What do other implementations do? Should we clarify this anywhere?

Use NO_PROPOSAL_CHOSEN every time if there is something that could be
fixed by changing configuration in implementations. Use INVALID_SYNTAX
if error is something that is against RFC, and even if configuration
is changed you can never accept such message ever. For example if
whole SA payload is missing you send INVALID_SYNTAX, if some mandatory
transform types are missing that is NO_PROPOSAL_CHOSEN. 

> libreswan was using NO_PROPOSAL_CHOSEN for most of these, but is now
> slated to be more strict to the RFC and use INVALID_SYNTAX. (and
> clearly, I'm not happy about it but it seems the RFC dictates this)

No, the RFC does not dictate that.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email