Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
Yoav Nir <ynir.ietf@gmail.com> Mon, 01 September 2014 09:17 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9458F1A02E8 for <ipsec@ietfa.amsl.com>; Mon, 1 Sep 2014 02:17:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldsX-KZDXE35 for <ipsec@ietfa.amsl.com>; Mon, 1 Sep 2014 02:17:08 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0461A02E3 for <ipsec@ietf.org>; Mon, 1 Sep 2014 02:17:06 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id 10so5667126lbg.3 for <ipsec@ietf.org>; Mon, 01 Sep 2014 02:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=cqY3VewTDR/dsuPcSFUmJh3vx1QyMX+IfnTnupENFf8=; b=T5wRbvGqJWsTsbe5D4VyxayjkLJgC/6aYx0tuLfAp17KmR9qdI024JcZgM0MQsCTNi A+zEOqohrvupDMK7bEziYzMzWDMvHbCpuxl4Yvbhiu+krLkDC9ujkXu5N6H5AABB/bhC JPf2qRnrjAh+ds0smDtUtwVgIC4QWjQPOMCnrfT/Xvbv0qN0BT7gUeYer6tD6BtTVdMd 2MRTO6wXh14rnaYw+o6saLDEJsfe5IcHsMPnfvKpSjZvx2gRaIGpINTg8ScNoydUSEUP 6XnegekkBd+ydPp3i+IfGyucTNde5MsKUXXL195hhwnY1VkHcclh7cmgaPIzdYL+K2IX YogQ==
X-Received: by 10.112.147.74 with SMTP id ti10mr26021693lbb.29.1409563025197; Mon, 01 Sep 2014 02:17:05 -0700 (PDT)
Received: from [172.24.251.145] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id m5sm174882laa.37.2014.09.01.02.17.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Sep 2014 02:17:04 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_943F574A-0672-499F-8C27-7A03BF866254"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <63f489b81d784a368106e901e5d62abb@DM2PR0601MB713.namprd06.prod.outlook.com>
Date: Mon, 01 Sep 2014 12:17:00 +0300
Message-Id: <8EE786E7-5AFE-4224-91CB-0029ABB1735A@gmail.com>
References: <f349616c76c3467a95239d459bb4fb01@DM2PR0601MB713.namprd06.prod.outlook.com> <583C5D54-E70D-42AE-845C-79CF5CB8F71F@gmail.com> <63f489b81d784a368106e901e5d62abb@DM2PR0601MB713.namprd06.prod.outlook.com>
To: Avishek Ganguly <aganguly@ixiacom.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/aUT4DKupdpqhHnmzZFbSb3CtnPI
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Sep 2014 09:17:10 -0000
On Sep 1, 2014, at 12:01 PM, Avishek Ganguly <aganguly@ixiacom.com> wrote: > Thanks Yoav for your explanation. > > > English is not my first language, so I’m not sure what “exclusive” means below, but I hope I can clarify anyways. > > By exclusive I mean NO_PROPOSAL_CHOSEN is an error that is not generated because of any DH Group mismatches in KE Payload. > > > So it seems that INVALID_KE_PAYLOAD is an error that should be generated during CREATE_CHILD_SA exchange. And NO_PROPOSAL_CHOSEN is appropriate for IKE_SA_INIT. Because Before IKE_SA_INIT responder does not know which groups initiator supports. When responder gets a IKE_SA_INIT with invalid DH GROUP > It should assume that there is some configuration issues from initiator side. > No. Both are appropriate in both exchanges. Both CCSA and IKE_SA_INIT have SA payloads and KE payloads. Since there is no requirement that the new (rekeyed) IKE SA have the same algorithms and groups of the old IKE SA, the proposals may be different. Regardless of whether we are creating a new authenticated IKE SA, a Child SA with PFS or a rekeyed IKE SA, you could have an empty intersection of group sets (leading to a NO_PROPOSAL_CHOSEN) or a wrong choice of group in KE payload (leading to INVALID_KE_PAYLOAD)
- [IPsec] Question Regarding IKEv2 RFC5996 Use of N… Avishek Ganguly
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Yoav Nir
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Avishek Ganguly
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Yoav Nir
- [IPsec] Question Regarding IKEv2 RFC5996 Use of N… Tero Kivinen