This is in line with the WG discussion, and I recommend to mark it as
verified.
Thanks,
Yaron
On 01/09/2013 01:53 PM, RFC Errata System wrote:
The following errata report has been submitted for RFC6290,
"A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6290&eid=3448
--------------------------------------
Type: Technical
Reported by: Valery Smyslov <[email protected]>
Section: 4.3
Original Text
-------------
For session resumption, as specified in [RFC5723], the situation is
similar. The responder, which is necessarily the peer that has
crashed, SHOULD send a new ticket within the protected payload of the
IKE_SESSION_RESUME exchange. If the Initiator is also a token maker,
it needs to send a QCD_TOKEN in a separate INFORMATIONAL exchange.
Corrected Text
--------------
For session resumption, as specified in [RFC5723], the situation is
similar. The responder, which is necessarily the peer that has
crashed, SHOULD send a new QCD_TOKEN in the IKE_AUTH exchange
that immediately followes the IKE_SESSION_RESUME exchange.
If the Initiator is also a token maker, it needs to send a QCD_TOKEN in
the same IKE_AUTH exchange.
Notes
-----
Original text mixes up terms "ticket" (as Session Resumption ticket from RFC5723) and
"token" (as QCD token from this RFC). As QCD token must never be sent in an unprotected
message (see section 9.2 from this RFC) it cannot be sent in the IKE_SESSION_RESUME exchange
because this exchange is done in clear. So, QCD token must be sent in the IKE_AUTH exchange that
immediately followes the IKE_SESSION_RESUME exchange. In this case there is no need for the
separate INFORMATIONAL exchange the Initiator's QCD token (if any) to be sent in, because it could
be sent in the same IKE_AUTH exchange.
Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC6290 (draft-ietf-ipsecme-failure-detection-08)
--------------------------------------
Title : A Quick Crash Detection Method for the Internet Key
Exchange Protocol (IKE)
Publication Date : June 2011
Author(s) : Y. Nir, Ed., D. Wierbowski, F. Detienne, P. Sethi
Category : PROPOSED STANDARD
Source : IP Security Maintenance and Extensions
Area : Security
Stream : IETF
Verifying Party : IESG
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
