[IPsec] Question: Inconsistent statements about what the node shall do when receving ESP packets with unknown SPI.
Pål Dammvik <pal.dammvik@ericsson.com> Tue, 03 April 2018 11:09 UTC
Return-Path: <pal.dammvik@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C48A12E89A for <ipsec@ietfa.amsl.com>; Tue, 3 Apr 2018 04:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=Np0ycMQ5; dkim=pass (1024-bit key) header.d=ericsson.com header.b=lJabp7+K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xzvq00EL2JTk for <ipsec@ietfa.amsl.com>; Tue, 3 Apr 2018 04:09:40 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B004120726 for <ipsec@ietf.org>; Tue, 3 Apr 2018 04:09:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1522753777; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=awT2ihx4TK1vuv4x18q4KKrvdmLjC97a+vdyMwytlcM=; b=Np0ycMQ5jljGoO+4ENsPJb5rcVobplzUdo7ExBqfoxYE3ngUhAh8eVzQLU21Qc3A HIxssXbikvPG5Yh+RQy9Z1NPFVowrlWKRYRAzYeFfCQXIOA73z0HGtbYonrd/xA4 xaotQRravERRpUlqBzlMABv71EpdDVyQe6iG7A+w9PM=;
X-AuditID: c1b4fb3a-e21ff70000005d56-ba-5ac360f1ca24
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.183.30]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id AD.B7.23894.1F063CA5; Tue, 3 Apr 2018 13:09:37 +0200 (CEST)
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESSHC004.ericsson.se (153.88.183.30) with Microsoft SMTP Server (TLS) id 14.3.382.0; Tue, 3 Apr 2018 13:09:37 +0200
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.26; Tue, 3 Apr 2018 13:09:37 +0200
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.26 via Frontend Transport; Tue, 3 Apr 2018 13:09:36 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=awT2ihx4TK1vuv4x18q4KKrvdmLjC97a+vdyMwytlcM=; b=lJabp7+K2hH+1FOPs+BgjcixWblUgcU9iloHXIAGZfkEVDgqvndY7DbGWARXbhxESdo6IWg83bK3Jy2NWiSnHxHmuTtsYgPMIsYcrGtwZ0ZuGJx2gbJX1DQk5NszskP/1fy5oI0stck2x8kb1e0SGySeemxspDUkQjAQIxRI4EM=
Received: from HE1PR07MB1307.eurprd07.prod.outlook.com (10.164.51.157) by HE1PR07MB4171.eurprd07.prod.outlook.com (20.176.166.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.653.5; Tue, 3 Apr 2018 11:09:35 +0000
Received: from HE1PR07MB1307.eurprd07.prod.outlook.com ([fe80::c990:d81a:bd04:40be]) by HE1PR07MB1307.eurprd07.prod.outlook.com ([fe80::c990:d81a:bd04:40be%7]) with mapi id 15.20.0653.005; Tue, 3 Apr 2018 11:09:35 +0000
From: Pål Dammvik <pal.dammvik@ericsson.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Question: Inconsistent statements about what the node shall do when receving ESP packets with unknown SPI.
Thread-Index: AdPLOtDWg3mxwv2vTUm0771um2usNA==
Date: Tue, 03 Apr 2018 11:09:35 +0000
Message-ID: <HE1PR07MB13078205BCE2E700DDA3983C8BA50@HE1PR07MB1307.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.176.1.90]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB4171; 7:1rPh6zu2gOgCvV1eXh2XsX7tLfT32Qy+xQrKFEIfGBr24DaABu5hpmbok2s0sUv9TtyMNEkEy47Cx9t3gwx/ZT6RtgbnU23KhUV0i76nF/i6iewjomfAKD69x3KuXq2fUyeaxLpEmA2Eyawm2zFstzHdZ3JoXu0bbF9Dic4o8okfyHw18FQsNQaE3Ugs/HxJHLLLF1IICpSoMSy4k8DQrrGI6EoeTRAP8+f9//bdS9kZnuxUsZXJ4t+8hTLe6QQo
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 703c4e75-0821-44be-d9f8-08d59953628d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4171;
x-ms-traffictypediagnostic: HE1PR07MB4171:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pal.dammvik@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB41713840EC019686759B11188BA50@HE1PR07MB4171.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(10201501046)(93006095)(93001095)(3002001)(6041310)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:HE1PR07MB4171; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB4171;
x-forefront-prvs: 0631F0BC3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(376002)(396003)(39860400002)(366004)(346002)(85644002)(189003)(199004)(68736007)(66066001)(8936002)(85202003)(1730700003)(81156014)(81166006)(8676002)(316002)(5630700001)(99286004)(97736004)(25786009)(7696005)(5250100002)(6506007)(106356001)(59450400001)(85182001)(478600001)(86362001)(3280700002)(2501003)(105586002)(3660700001)(5660300001)(9686003)(2906002)(7736002)(54896002)(6306002)(14454004)(33656002)(5640700003)(53936002)(2351001)(74316002)(2900100001)(790700001)(486005)(186003)(102836004)(55016002)(26005)(476003)(6116002)(6916009)(486005)(3846002)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4171; H:HE1PR07MB1307.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: f7ki8yBY3KFP6zfzkMTQzdiJtKpqndhKHM0vG7Oq9wL7i4+IkpbZ7NNMJUJMG/kUYbADQWDiE8UPQ+WTDDGFoddR0l2OnDkTWmaZwCOpXTskoWf2TVpASmT++Ven91HOsyhsiGLbSSZpvON1M7dmd5OfMBenlhsV+qlHrEdw1k4syyPzn7vh5edfWCKi1/ssnMgGT/tf+sIuS2Wk6t6MkxqsyIr1chYUnxN9cMOj4/b59gpY0RToje3CSgxPcNik6BO56PLH+0RLueb6v+bcqRFkC9RRHYIEYC+gb/L7mwbviXQxdk9HX/D4vBhwiAkCtUS8OdCu6hPwFEZh8dJ/qUfqq0iHPmsWrdxZ2n4sG36h27w2sFdasdrZ7Civ+ENDHgpKxkYX2WjSHF88XEG8MfbxPP+uMz4jbXyUHK/qx4U=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB13078205BCE2E700DDA3983C8BA50HE1PR07MB1307eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 703c4e75-0821-44be-d9f8-08d59953628d
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2018 11:09:35.6321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4171
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTYRTHee69267W4npTPFiazYqS1DQT8w3zkwSBBGXMQJde352xu4n6 aRGGuCwLZ2y1FJ2aZlhqZamp02qZaWhGBVaipiKZDUtD2tr2GPjt9/xfOOfAQ5OsQeBFZ8mV nEIuy5UIXSndmcc+AT9TBqSHLD+OhPd2zAtjUbzR+IdIQFLXqDQuN6uAUwTFpLhm3jfXis6b owsNdyYpNZqPLEMuNDCh0GabRg5mmUEEK6+3lCFXO7cjKLk2IMCP3whemGc3UkYCZq1uDoNi LARoR1YF2NASsFwahhtTCOrerjgbQiYaNHdrCAe7M3thqOGGs7CdUYHJOkNivRh0xgUh5kBo vv3e2aWYPfC8scKZFzNnwdavcTJivOHL6mfKwSTjCZ9mqgl8DwPG7lESswcsTFvtedrOvlA+ LsWyN4xVa5BjT2A6CPheNUthIwCWtVoS50+AfqgIZ8wIrF+vIJzxh/rSMSHeIQmalr6JsJ4D ffX6jbnHwTZ8lcTlehJaW0Y3ltsJtYtPRNiwCaBk7TJRgQL0m47Q24eTTD70/GX1zpvd4JVu hsLyAWh9GoTTu6FSMyXCvB9KbhlEm/UaJGpGHjzH83kZISGBnCIrlefz5YFyTtmG7J+mv2M9 ohP1zx0zIYZGkq3ikzEDUlYgK+CL8kwIaFLiLh7pNklZcZqsqJhT5CcrVLkcb0I7aEriKY5L D5eyTIZMyeVw3HlO8d8laBcvNfL5VR7GHvavPDgxPtF8ujA5f9LX99wF6kNcT5tKzero9Mg+ 267s3vhHc4PZfh8TX8YWWZoureuYxfSmluE6TnUxdm3f9IPQjOuLC0sNibRAk1q1HHcqOaGr HT2M6jvaqN62YiotZ98Y3t1M6ooI9ou3PBN3Bjbes3VVZkd4FCglFJ8pC/YnFbzsH5m9tdww AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/xsUVXcK8yjca5M7A9rueB1Voh74>
Subject: [IPsec] Question: Inconsistent statements about what the node shall do when receving ESP packets with unknown SPI.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 11:09:42 -0000
Think I have discovered a small inconsistency in RFC 7296 with regards to the actions a node shall take if it received ESP packets with an unknown SPI. In section 1.5 it’s stated: “In the first case, if the receiving node has an active IKE SA to the IP address from whence the packet came, it MAY send an INVALID_SPI notification of the wayward packet over that IKE SA in an INFORMATIONAL exchange.” The works “In the first case” refers to a case where the node received an ESP packet with unknown SPI. Thus in this case it’s a MAY statement to initiate the INFORMATIONAL exchange. In section 2.21.4 it’s stated: “If an error occurs outside the context of an IKE request (e.g., the node is getting ESP messages on a nonexistent SPI), the node SHOULD initiate an INFORMATIONAL exchange with a Notify payload describing the problem.” So in this case it’s a SHOULD statement to initiate the INFORMATIONAL exchange. To me these statement are a bit confusing, is it a SHOULD or MAY to initiate an INFORMATIONAL exchange when receiving ESP packets with unknown SPI? (assuming an IKE SA is established). In my humble opinion section 2.21.4 should be updated to say MAY but I might have missed something 😊
- [IPsec] Question: Inconsistent statements about w… Pål Dammvik
- [IPsec] Question: Inconsistent statements about w… Tero Kivinen