Re: [IPsec] Error in RFC6290
Yoav Nir <ynir@checkpoint.com> Wed, 26 December 2012 08:42 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78F3E21F8C6C for <ipsec@ietfa.amsl.com>; Wed, 26 Dec 2012 00:42:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UcbTABggvdqt for <ipsec@ietfa.amsl.com>; Wed, 26 Dec 2012 00:42:58 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 3E33021F8C51 for <ipsec@ietf.org>; Wed, 26 Dec 2012 00:42:57 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qBQ8gq2b017793; Wed, 26 Dec 2012 10:42:53 +0200
X-CheckPoint: {50DAB73E-2-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.238]) by IL-EX10.ad.checkpoint.com ([169.254.2.238]) with mapi id 14.02.0318.004; Wed, 26 Dec 2012 10:42:52 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Valery Smyslov <svanru@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Error in RFC6290
Thread-Index: AQHN4y/c3fArnE5T60Wa6aVDlN07vJgqwzRA
Date: Wed, 26 Dec 2012 08:42:52 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210EE0910F@IL-EX10.ad.checkpoint.com>
References: <20121203223404.5441.71025.idtracker@ietfa.amsl.com> <E7FA5DBC7DB747779E6E6D73460A6615@buildpc> <4613980CFC78314ABFD7F85CC30277210EDFD9D0@IL-EX10.ad.checkpoint.com> <B1F8AE12E3604526980FA756C8F2DB09@buildpc> <DF562289B5D540F095DA9CD3B21AB3D0@buildpc>
In-Reply-To: <DF562289B5D540F095DA9CD3B21AB3D0@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.81]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] Error in RFC6290
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2012 08:42:59 -0000
Hi I agree with point #2. I'll leave it to some of the session resumption experts to comment on point #1. It's a little late for "Merry Christmas", so just happy new year. Yoav -----Original Message----- From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov Sent: Wednesday, December 26, 2012 8:11 AM To: ipsec@ietf.org Subject: [IPsec] Error in RFC6290 Hi, RFC6290 (Quick Crash Detection) contains an error. In Section 4.3 it states: For session resumption, as specified in [RFC5723], the situation is similar. The responder, which is necessarily the peer that has crashed, SHOULD send a new ticket within the protected payload of the IKE_SESSION_RESUME exchange. If the Initiator is also a token maker, it needs to send a QCD_TOKEN in a separate INFORMATIONAL exchange. But IKE_SESSION_RESUME exchange, as specified in RFC5723, doesn't contain any protected payload - it is completely in clear and must be followed by IKE_AUTH exchange. I suspect this error came from early versions of IKE SA Resumption protocol that, as far as I remember, did contain protected payload. But currently this para should look like: For session resumption, as specified in [RFC5723], the situation is similar. The responder, which is necessarily the peer that has crashed, SHOULD send a new ticket in IKE_AUTH exchange that immediately followed IKE_SESSION_RESUME exchange. If the Initiator is also a token maker, it needs to send a QCD_TOKEN in the same IKE_AUTH exchange. And one more consideration. In Section 4.1 RFC6290 states: o Protocol ID (1 octet) MUST be 1, as this message is related to an IKE SA. o SPI Size (1 octet) MUST be zero, in conformance with Section 3.10 of [RFC5996]. I think here we have contradiction with RFC5996 (despite clamed conformance with it). In abovementioned Section 3.10 it is written: o Protocol ID (1 octet) - If this notification concerns an existing SA whose SPI is given in the SPI field, this field indicates the type of that SA. For notifications concerning Child SAs, this field MUST contain either (2) to indicate AH or (3) to indicate ESP. Of the notifications defined in this document, the SPI is included only with INVALID_SELECTORS and REKEY_SA. If the SPI field is empty, this field MUST be sent as zero and MUST be ignored on receipt. Let me emphasize that RFC5996 clearly requires that If the SPI field is empty, Protocol ID field MUST be sent as zero and MUST be ignored on receipt, but RFC6290 while requiring SPI field to be empty, requres Protocol ID field to be non-zero. Actually, I see no value in this requirement, as Protocol ID MUST be ignored on receipt anyway (if SPI field is empty), so it just complicates protocol and makes it cumbersome. Merry Christmas, Valery Smyslov. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec Email secured by Check Point
- [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Yoav Nir
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Paul Hoffman
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Paul Wouters
- [IPsec] Error in RFC6290 Valery Smyslov
- Re: [IPsec] Error in RFC6290 Yoav Nir
- Re: [IPsec] Error in RFC6290 Yaron Sheffer
- Re: [IPsec] Error in RFC6290 Valery Smyslov
- Re: [IPsec] Error in RFC6290 Yoav Nir