[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: iked(8): update RFC references
From:       Claudio Jeker <cjeker () diehard ! n-r-g ! com>
Date:       2019-02-27 12:22:18
Message-ID: 20190227122218.GB13607 () diehard ! n-r-g ! com
[Download RAW message or body]

On Wed, Feb 27, 2019 at 01:08:44PM +0100, Tobias Heider wrote:
> Hi,
> 
> i went through the code and man pages and updated obsolete RFC
> references according to [iana].
> 
> The remaining mentions of RFC4306 are deprecated and listed as RESERVED
> in the current registry, should they be removed from ikev2.h?
> 
> Tobias
> 
> [iana] https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-10

The only issue I see with this if RFC7296 includes requirements that 
RFC 5996 doesn't have and iked has not implemented them.
Looking at RFC7296 section 1.8 this is not the case so OK claudio@
 
> Index: ca.c
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ca.c,v
> retrieving revision 1.46
> diff -u -p -u -r1.46 ca.c
> --- ca.c	30 Oct 2017 09:53:27 -0000	1.46
> +++ ca.c	27 Feb 2019 10:58:22 -0000
> @@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint
>  	 * Generate a SHA-1 digest of the Subject Public Key Info
>  	 * element in the X.509 certificate, an ASN.1 sequence
>  	 * that includes the public key type (eg. RSA) and the
> -	 * public key value (see 3.7 of RFC4306).
> +	 * public key value (see 3.7 of RFC7296).
>  	 */
>  	if ((pkey = X509_get_pubkey(x509)) == NULL)
>  		return (-1);
> Index: iked.8
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.8,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 iked.8
> --- iked.8	3 Jul 2018 13:37:11 -0000	1.21
> +++ iked.8	27 Feb 2019 10:27:19 -0000
> @@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daem
>  authentication and which establishes and maintains IPsec flows and
>  security associations (SAs) between the two peers.
>  .Pp
> -The IKEv2 protocol is defined in RFC 5996,
> +The IKEv2 protocol is defined in RFC 7296,
>  which combines and updates the previous standards:
>  ISAKMP/Oakley (RFC 2408),
>  IKE (RFC 2409),
> @@ -187,8 +187,9 @@ control socket.
>  .%A P. Hoffman
>  .%A Y. Nir
>  .%A P. Eronen
> -.%D September 2010
> -.%R RFC 5996
> +.%A T. Kivinen
> +.%D October 2014
> +.%R RFC 7296
>  .%T Internet Key Exchange Protocol Version 2 (IKEv2)
>  .Re
>  .Sh HISTORY
> Index: ikev2.c
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
> retrieving revision 1.167
> diff -u -p -u -r1.167 ikev2.c
> --- ikev2.c	26 Feb 2019 18:05:22 -0000	1.167
> +++ ikev2.c	27 Feb 2019 10:32:36 -0000
> @@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct i
>  	 *  (Ni | Nr) is used as a PRF key, otherwise a "key" buffer
>  	 *  is used and PRF is performed on the concatenation of DH
>  	 *  exchange result and nonces (g^ir | Ni | Nr).  See sections
> -	 *  2.14 and 2.18 of RFC5996 for more information.
> +	 *  2.14 and 2.18 of RFC7296 for more information.
>  	 */
>  
>  	/*
> Index: ikev2.h
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.h,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 ikev2.h
> --- ikev2.h	3 Dec 2017 21:02:44 -0000	1.27
> +++ ikev2.h	27 Feb 2019 11:56:13 -0000
> @@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformt
>  
>  extern struct iked_constmap ikev2_xformencr_map[];
>  
> -#define IKEV2_IPCOMP_OUI		1	/* RFC5996 */
> +#define IKEV2_IPCOMP_OUI		1	/* UNSPECIFIED */
>  #define IKEV2_IPCOMP_DEFLATE		2	/* RFC2394 */
>  #define IKEV2_IPCOMP_LZS		3	/* RFC2395 */
>  #define IKEV2_IPCOMP_LZJH		4	/* RFC3051 */
> @@ -283,38 +283,38 @@ struct ikev2_notify {
>  	/* Followed by variable length notification data */
>  } __packed;
>  
> -#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC4306 */
> -#define IKEV2_N_INVALID_IKE_SPI			4	/* RFC4306 */
> -#define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC4306 */
> -#define IKEV2_N_INVALID_SYNTAX			7	/* RFC4306 */
> -#define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC4306 */
> -#define IKEV2_N_INVALID_SPI			11	/* RFC4306 */
> -#define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC4306 */
> -#define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC4306 */
> -#define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC4306 */
> -#define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC4306 */
> -#define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC4306 */
> -#define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC4306 */
> -#define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC4306 */
> -#define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC4306 */
> -#define IKEV2_N_INVALID_SELECTORS		39	/* RFC4306 */
> +#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC7296 */
> +#define IKEV2_N_INVALID_IKE_SPI			4	/* RFC7296 */
> +#define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC7296 */
> +#define IKEV2_N_INVALID_SYNTAX			7	/* RFC7296 */
> +#define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC7296 */
> +#define IKEV2_N_INVALID_SPI			11	/* RFC7296 */
> +#define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC7296 */
> +#define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC7296 */
> +#define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC7296 */
> +#define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC7296 */
> +#define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC7296 */
> +#define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC7296 */
> +#define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC7296 */
> +#define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC7296 */
> +#define IKEV2_N_INVALID_SELECTORS		39	/* RFC7296 */
>  #define IKEV2_N_UNACCEPTABLE_ADDRESSES		40	/* RFC4555 */
>  #define IKEV2_N_UNEXPECTED_NAT_DETECTED		41	/* RFC4555 */
>  #define IKEV2_N_USE_ASSIGNED_HoA		42	/* RFC5026 */
> -#define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC5996 */
> -#define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC5996 */
> -#define IKEV2_N_INITIAL_CONTACT			16384	/* RFC4306 */
> -#define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC4306 */
> -#define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC4306 */
> -#define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC4306 */
> -#define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC4306 */
> -#define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC4306 */
> -#define IKEV2_N_COOKIE				16390	/* RFC4306 */
> -#define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC4306 */
> -#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC4306 */
> -#define IKEV2_N_REKEY_SA			16393	/* RFC4306 */
> -#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC4306 */
> -#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC4306 */
> +#define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC7296 */
> +#define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC7296 */
> +#define IKEV2_N_INITIAL_CONTACT			16384	/* RFC7296 */
> +#define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC7296 */
> +#define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC7296 */
> +#define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC7296 */
> +#define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC7296 */
> +#define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC7296 */
> +#define IKEV2_N_COOKIE				16390	/* RFC7296 */
> +#define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC7296 */
> +#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC7296 */
> +#define IKEV2_N_REKEY_SA			16393	/* RFC7296 */
> +#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC7296 */
> +#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC7296 */
>  #define IKEV2_N_MOBIKE_SUPPORTED		16396	/* RFC4555 */
>  #define IKEV2_N_ADDITIONAL_IP4_ADDRESS		16397	/* RFC4555 */
>  #define IKEV2_N_ADDITIONAL_IP6_ADDRESS		16398	/* RFC4555 */
> @@ -334,8 +334,8 @@ struct ikev2_notify {
>  #define IKEV2_N_TICKET_NACK			16412	/* RFC5723 */
>  #define IKEV2_N_TICKET_OPAQUE			16413	/* RFC5723 */
>  #define IKEV2_N_LINK_ID				16414	/* RFC5739 */
> -#define IKEV2_N_USE_WESP_MODE			16415	/* RFC-ietf-ipsecme-traffic-visibility-12.txt */
> -#define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */
> +#define IKEV2_N_USE_WESP_MODE			16415	/* RFC5415 */
> +#define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC5857 */
>  #define IKEV2_N_EAP_ONLY_AUTHENTICATION		16417	/* RFC5998 */
>  #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED	16418	/* RFC6023 */
>  #define IKEV2_N_QUICK_CRASH_DETECTION		16419	/* RFC6290 */
> @@ -375,13 +375,13 @@ struct ikev2_id {
>  } __packed;
>  
>  #define IKEV2_ID_NONE		0	/* No ID */
> -#define IKEV2_ID_IPV4		1	/* RFC4306 (ID_IPV4_ADDR) */
> -#define IKEV2_ID_FQDN		2	/* RFC4306 */
> -#define IKEV2_ID_UFQDN		3	/* RFC4306 (ID_RFC822_ADDR) */
> -#define IKEV2_ID_IPV6		5	/* RFC4306 (ID_IPV6_ADDR) */
> -#define IKEV2_ID_ASN1_DN	9	/* RFC4306 */
> -#define IKEV2_ID_ASN1_GN	10	/* RFC4306 */
> -#define IKEV2_ID_KEY_ID		11	/* RFC4306 */
> +#define IKEV2_ID_IPV4		1	/* RFC7296 (ID_IPV4_ADDR) */
> +#define IKEV2_ID_FQDN		2	/* RFC7296 */
> +#define IKEV2_ID_UFQDN		3	/* RFC7296 (ID_RFC822_ADDR) */
> +#define IKEV2_ID_IPV6		5	/* RFC7296 (ID_IPV6_ADDR) */
> +#define IKEV2_ID_ASN1_DN	9	/* RFC7296 */
> +#define IKEV2_ID_ASN1_GN	10	/* RFC7296 */
> +#define IKEV2_ID_KEY_ID		11	/* RFC7296 */
>  #define IKEV2_ID_FC_NAME	12	/* RFC4595 */
>  
>  extern struct iked_constmap ikev2_id_map[];
> @@ -396,18 +396,18 @@ struct ikev2_cert {
>  } __packed;
>  
>  #define IKEV2_CERT_NONE			0	/* None */
> -#define IKEV2_CERT_X509_PKCS7		1	/* RFC4306 */
> -#define IKEV2_CERT_PGP			2	/* RFC4306 */
> -#define IKEV2_CERT_DNS_SIGNED_KEY	3	/* RFC4306 */
> -#define IKEV2_CERT_X509_CERT		4	/* RFC4306 */
> -#define IKEV2_CERT_KERBEROS_TOKEN	6	/* RFC4306 */
> -#define IKEV2_CERT_CRL			7	/* RFC4306 */
> -#define IKEV2_CERT_ARL			8	/* RFC4306 */
> -#define IKEV2_CERT_SPKI			9	/* RFC4306 */
> -#define IKEV2_CERT_X509_ATTR		10	/* RFC4306 */
> -#define IKEV2_CERT_RSA_KEY		11	/* RFC4306 */
> -#define IKEV2_CERT_HASHURL_X509		12	/* RFC4306 */
> -#define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC4306 */
> +#define IKEV2_CERT_X509_PKCS7		1	/* UNSPECIFIED */
> +#define IKEV2_CERT_PGP			2	/* UNSPECIFIED */
> +#define IKEV2_CERT_DNS_SIGNED_KEY	3	/* UNSPECIFIED */
> +#define IKEV2_CERT_X509_CERT		4	/* RFC7296 */
> +#define IKEV2_CERT_KERBEROS_TOKEN	6	/* UNSPECIFIED */
> +#define IKEV2_CERT_CRL			7	/* RFC7296 */
> +#define IKEV2_CERT_ARL			8	/* UNSPECIFIED */
> +#define IKEV2_CERT_SPKI			9	/* UNSPECIFIED */
> +#define IKEV2_CERT_X509_ATTR		10	/* UNSPECIFIED */
> +#define IKEV2_CERT_RSA_KEY		11	/* RFC7296 */
> +#define IKEV2_CERT_HASHURL_X509		12	/* RFC7296 */
> +#define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC7296 */
>  #define IKEV2_CERT_OCSP			14	/* RFC4806 */
>  /*
>   * As of November 2014, work was still in progress to add a more generic
> @@ -436,8 +436,8 @@ struct ikev2_ts {
>  	uint16_t	ts_endport;		/* End port */
>  } __packed;
>  
> -#define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC4306 */
> -#define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC4306 */
> +#define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC7296 */
> +#define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC7296 */
>  #define IKEV2_TS_FC_ADDR_RANGE		9	/* RFC4595 */
>  
>  extern struct iked_constmap ikev2_ts_map[];
> @@ -453,9 +453,9 @@ struct ikev2_auth {
>  } __packed;
>  
>  #define IKEV2_AUTH_NONE			0	/* None */
> -#define IKEV2_AUTH_RSA_SIG		1	/* RFC4306 */
> -#define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC4306 */
> -#define IKEV2_AUTH_DSS_SIG		3	/* RFC4306 */
> +#define IKEV2_AUTH_RSA_SIG		1	/* RFC7296 */
> +#define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC7296 */
> +#define IKEV2_AUTH_DSS_SIG		3	/* RFC7296 */
>  #define IKEV2_AUTH_ECDSA_256		9	/* RFC4754 */
>  #define IKEV2_AUTH_ECDSA_384		10	/* RFC4754 */
>  #define IKEV2_AUTH_ECDSA_521		11	/* RFC4754 */
> @@ -504,20 +504,20 @@ struct ikev2_cfg {
>  	/* Followed by variable-length data */
>  } __packed;
>  
> -#define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC7296 */
>  #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY	5	/* RFC4306 */
> -#define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC5996 */
> -#define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC7296 */
> +#define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC7296 */
>  #define IKEV2_CFG_INTERNAL_IP6_NBNS		11	/* RFC4306 */
> -#define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC5996 */
> -#define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC7296 */
> +#define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC7296 */
>  #define IKEV2_CFG_MIP6_HOME_PREFIX		16	/* RFC5026 */
>  #define IKEV2_CFG_INTERNAL_IP6_LINK		17	/* RFC5739 */
>  #define IKEV2_CFG_INTERNAL_IP6_PREFIX		18	/* RFC5739 */
> 

-- 
:wq Claudio

[prev in list] [next in list] [prev in thread] [next in thread]