[IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
Tero Kivinen <kivinen@iki.fi> Mon, 01 September 2014 14:39 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119971A0A92 for <ipsec@ietfa.amsl.com>; Mon, 1 Sep 2014 07:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4wlvGf2e-Mk for <ipsec@ietfa.amsl.com>; Mon, 1 Sep 2014 07:39:21 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319791A0977 for <ipsec@ietf.org>; Mon, 1 Sep 2014 07:16:18 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s81EGECJ015508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 1 Sep 2014 17:16:14 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s81EGD5O019563; Mon, 1 Sep 2014 17:16:13 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21508.32685.533369.15287@fireball.kivinen.iki.fi>
Date: Mon, 01 Sep 2014 17:16:13 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Avishek Ganguly <aganguly@ixiacom.com>
In-Reply-To: <f349616c76c3467a95239d459bb4fb01@DM2PR0601MB713.namprd06.prod.outlook.com>
References: <f349616c76c3467a95239d459bb4fb01@DM2PR0601MB713.namprd06.prod.outlook.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 10 min
X-Total-Time: 10 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/neRr0YGEPySGMmmChopfM0Gm-sg
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Sep 2014 14:39:26 -0000
Avishek Ganguly writes: > I have questions regarding use of NO_PROPOSAL_CHOSEN and > INVALID_KE_PAYLOAD in > IKE_SA_INIT exchange in RFC 5996 IKEv2. > > According to > > "Section 3.10.1. Notify Message Types > > NO_PROPOSAL_CHOSEN 14 > None of the proposed crypto suites was acceptable. This can be > sent in any case where the offered proposals (including but not > limited to SA payload values, USE_TRANSPORT_MODE notify, > IPCOMP_SUPPORTED notify) are not acceptable for the responder. > " > > according to the above statement it is meant that if initiator sends a > proposal with a Diffie-Hellman group value that is unacceptable by the > responder, then responder must send a NO_PROPOSAL_CHOSEN notification. There is no must in the NO_PROPOSAL_CHOSEN text. It says "This can be sent...". In general what IKEv2 error message you get back depends on the implementation and about the order where the implementation parses things. For example some implementation might check the SA first and return NO_PROPOSAL_CHOSEN, but other implementation might check the SA limit first and return NO_ADDITIONAL_SAS if SA limit is already reached. Another similar case might be for example TS_UNACCEPTABLE error. Some implementations do have catch-all policy which says no algorithm proposal is valid for other addresses, thus instead of returning TS_UNACCEPTABLE error when proposed something that is outside their policy, they always return NO_PROPOSAL_CHOSEN as regardless what initiator proposed it cannot fullfill their no algorithm is allowed policy... So do not try to guess what error other end might return... > But according to > > "Section 1.2. The Initial Exchanges > Because the initiator sends its Diffie-Hellman value in the > IKE_SA_INIT, it must guess the Diffie-Hellman group that the > responder will select from its list of supported groups. If the > initiator guesses wrong, the responder will respond with a Notify > payload of type INVALID_KE_PAYLOAD indicating the selected group. > " > > From the INVALID_KE_PAYLOAD description stated above means that > NO_PROPOSAL_CHOSEN case is exclusive of this INVALID_KE_PAYLOAD. INVALID_KE_PAYLOAD is special case, as it is not really an error notification, it is notification telling that yes, your proposal was ok, but you selected wrong group in your KE payload, please try again with correct group. I.e. the INVALID_KE_PAYLOAD is used if the initiator used group in KE payload that is not allowed by the responder, but included some other group that is acceptable in the SA payload. I.e. if there is a way to recover, then you send INVALID_KE_PAYLOAD and tell which group should be used. If none of the groups in the SA payload is acceptable then you send NO_PROPOSAL_CHOSEN, as there is no way to continue, without changing the policy. -- kivinen@iki.fi
- [IPsec] Question Regarding IKEv2 RFC5996 Use of N… Avishek Ganguly
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Yoav Nir
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Avishek Ganguly
- Re: [IPsec] Question Regarding IKEv2 RFC5996 Use … Yoav Nir
- [IPsec] Question Regarding IKEv2 RFC5996 Use of N… Tero Kivinen