[IPsec] Issue #176: What to do with a proposal of NONE
Tero Kivinen <kivinen@iki.fi> Mon, 08 March 2010 15:10 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FB513A69DD for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 07:10:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Jy4WZuuxutH for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 07:10:20 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id D95BD3A6904 for <ipsec@ietf.org>; Mon, 8 Mar 2010 07:10:19 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o28FAMwn006867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Mar 2010 17:10:22 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o28FAMWZ012506; Mon, 8 Mar 2010 17:10:22 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19349.4958.130660.415650@fireball.kivinen.iki.fi>
Date: Mon, 08 Mar 2010 17:10:22 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240811c7b8ad8a9912@[10.20.30.158]>
References: <p06240811c7b8ad8a9912@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 2 min
X-Total-Time: 2 min
Cc: IPsecme WG <ipsec@ietf.org>, Pasi Eronen <Pasi.Eronen@nokia.com>
Subject: [IPsec] Issue #176: What to do with a proposal of NONE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 15:10:25 -0000
Paul Hoffman writes: > <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/176> > > Pasi says: > > Section 3.3.6 says "If one of the proposals offered is for the > Diffie-Hellman group of NONE, the responder MUST ignore the > initiator's KE payload and omit the KE payload from the response." > > This seems wrong: it seems to say that if the initiator proposes DH group NONE, the responder must select it. > > However, negotiation of DH groups and KE payload is already well > described in Sections 1.2 and 1.3 (paragraphs mentioning > INVALID_KE_PAYLOAD), and it seems the last paragraph of 3.3.6 is > completely redundant. Thus, I'd propose just deleting the whole > paragraph. > > Paul says: > > That whole paragraph has been there since -00. Only the last > sentence was added in -03 almost a year ago. It was added to fix > <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/6>, but I can > easily believe that fix was not correct. However, sections 1.2 and > 1.3 don't address the issue in the sentence quoted. The last sentence is the one that is misleading. All of the rest of the paragraph is just repeation of the text from elsewhere. The last sentence should be saying: If one of the proposals offered is for the Diffie-Hellman group of NONE, and the responder selects that Diffie-Hellman group, then it MUST ignore the initiator's KE payload and omit the KE payload from the response. I.e. the MUST ignore, and omit the KE payload is only applicable if responder actually selects the Diffie-Hellman group NONE. -- kivinen@iki.fi
- [IPsec] Issue #176: What to do with a proposal of… Paul Hoffman
- [IPsec] Issue #176: What to do with a proposal of… Tero Kivinen
- Re: [IPsec] Issue #176: What to do with a proposa… Paul Hoffman
- Re: [IPsec] Issue #176: What to do with a proposa… David Wierbowski
- Re: [IPsec] Issue #176: What to do with a proposa… Yoav Nir
- Re: [IPsec] Issue #176: What to do with a proposa… Pasi.Eronen