Hi, I believe the proposed change is wrong. Nr in the RFC7296 diagrams represents the whole Nonce payload, including payload header, while only its content is included in to the authentication data.
This is expressed by the line: NonceRPayload = PayloadHeader | NonceRData The correct change would be: Nr = PayloadHeader | NonceRData However, while terms NonceRPayload, InitiatorIDPayload, RealMessage1, etc., are not formally defined in the RFC, the explanation text above makes it clear (in my opinion) what is meant. And the proposal to exclude nonces from the authentication data is wrong since it would break the security proofs of SIGMA protocol. The RFC explicitly states: It is critical to the security of the exchange that each side sign the other side's nonce. Regards, Valery. > The following errata report has been submitted for RFC7296, > "Internet Key Exchange Protocol Version 2 (IKEv2)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8407 > > -------------------------------------- > Type: Technical > Reported by: Yan Jia <[email protected]> > > Section: 2.15. > > Original Text > ------------- > InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI > > NonceRPayload = PayloadHeader | NonceRData > > Corrected Text > -------------- > InitiatorSignedOctets = RealMessage1 | Nr| MACedIDForI > > NonceRPayload = PayloadHeader | Nr > > Notes > ----- > I'm not sure whether "NonceRData" and "NonceIData " refers to Nr and Ni? I > searched "NonceRData" but I cannot find its definition. > > BTW, because we have already included "MACedIDForI" that is generated from > Nonce in InitiatorSignedOctets, can we remove "NonceRData" from > InitiatorSignedOctets (assuming NonceRData is Nr)? > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7296 (draft-kivinen-ipsecme-ikev2-rfc5996bis-04) > -------------------------------------- > Title : Internet Key Exchange Protocol Version 2 (IKEv2) > Publication Date : October 2014 > Author(s) : C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, T. Kivinen > Category : INTERNET STANDARD > Source : IP Security Maintenance and Extensions > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > IPsec mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
