Re: [IPsec] Issue #176: What to do with a proposal of NONE
David Wierbowski <wierbows@us.ibm.com> Mon, 08 March 2010 17:55 UTC
Return-Path: <wierbows@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 306913A6A57; Mon, 8 Mar 2010 09:55:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ErLxu5H638y; Mon, 8 Mar 2010 09:55:32 -0800 (PST)
Received: from e7.ny.us.ibm.com (e7.ny.us.ibm.com [32.97.182.137]) by core3.amsl.com (Postfix) with ESMTP id 39FCB3A6ABF; Mon, 8 Mar 2010 09:55:32 -0800 (PST)
Received: from d01relay07.pok.ibm.com (d01relay07.pok.ibm.com [9.56.227.147]) by e7.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id o28HlWXw021105; Mon, 8 Mar 2010 12:47:32 -0500
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o28HtXWW2056378; Mon, 8 Mar 2010 12:55:33 -0500
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o28HtX0H000970; Mon, 8 Mar 2010 12:55:33 -0500
Received: from d01ml084.pok.ibm.com (d01ml084.pok.ibm.com [9.63.10.23]) by d01av04.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id o28HtXXl000963; Mon, 8 Mar 2010 12:55:33 -0500
In-Reply-To: <p06240804c7bac6000ac6@[10.20.30.158]>
References: <p06240811c7b8ad8a9912@[10.20.30.158]> <19349.4958.130660.415650@fireball.kivinen.iki.fi> <p06240804c7bac6000ac6@[10.20.30.158]>
X-KeepSent: 1C9B8C8E:54DA023C-002576E0:00623226; type=4; name=$KeepSent
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Lotus Notes Release 8.0.2FP1 SHF149 July 17, 2009
Message-ID: <OF1C9B8C8E.54DA023C-ON002576E0.00623226-852576E0.006277EA@us.ibm.com>
From: David Wierbowski <wierbows@us.ibm.com>
Date: Mon, 08 Mar 2010 12:55:32 -0500
X-MIMETrack: Serialize by Router on D01ML084/01/M/IBM(Release 8.0.2FP4|December 10, 2009) at 03/08/2010 12:55:32
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: IPsecme WG <ipsec@ietf.org>, ipsec-bounces@ietf.org
Subject: Re: [IPsec] Issue #176: What to do with a proposal of NONE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 17:55:33 -0000
I agree.
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Tero Kivinen <kivinen@iki.fi>
Cc: IPsecme WG <ipsec@ietf.org>, Pasi Eronen <Pasi.Eronen@nokia.com>
Date: 03/08/2010 10:22 AM
Subject: Re: [IPsec] Issue #176: What to do with a proposal of NONE
Sent by: ipsec-bounces@ietf.org
At 5:10 PM +0200 3/8/10, Tero Kivinen wrote:
>Paul Hoffman writes:
>> <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/176>
>>
>> Pasi says:
>>
>> Section 3.3.6 says "If one of the proposals offered is for the
>> Diffie-Hellman group of NONE, the responder MUST ignore the
>> initiator's KE payload and omit the KE payload from the response."
>>
>> This seems wrong: it seems to say that if the initiator proposes DH
group NONE, the responder must select it.
>>
>> However, negotiation of DH groups and KE payload is already well
>> described in Sections 1.2 and 1.3 (paragraphs mentioning
>> INVALID_KE_PAYLOAD), and it seems the last paragraph of 3.3.6 is
>> completely redundant. Thus, I'd propose just deleting the whole
>> paragraph.
>>
>> Paul says:
>>
>> That whole paragraph has been there since -00. Only the last
>> sentence was added in -03 almost a year ago. It was added to fix
>> <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/6>, but I can
>> easily believe that fix was not correct. However, sections 1.2 and
>> 1.3 don't address the issue in the sentence quoted.
>
>The last sentence is the one that is misleading. All of the rest of
>the paragraph is just repeation of the text from elsewhere.
>
>The last sentence should be saying:
>
> If one of the proposals offered is for the
> Diffie-Hellman group of NONE, and the responder selects that
> Diffie-Hellman group, then it MUST ignore the initiator's KE
> payload and omit the KE payload from the response.
>
>I.e. the MUST ignore, and omit the KE payload is only applicable if
>responder actually selects the Diffie-Hellman group NONE.
That makes good sense to me, and seems like less of a change to 4306 than
the current wording. Do others agree?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Issue #176: What to do with a proposal of… Paul Hoffman
- [IPsec] Issue #176: What to do with a proposal of… Tero Kivinen
- Re: [IPsec] Issue #176: What to do with a proposa… Paul Hoffman
- Re: [IPsec] Issue #176: What to do with a proposa… David Wierbowski
- Re: [IPsec] Issue #176: What to do with a proposa… Yoav Nir
- Re: [IPsec] Issue #176: What to do with a proposa… Pasi.Eronen