On Wed, Feb 27, 2019 at 01:08:44PM +0100, Tobias Heider wrote:
> Hi,
>
> i went through the code and man pages and updated obsolete RFC
> references according to [iana].
>
> The remaining mentions of RFC4306 are deprecated and listed as RESERVED
> in the current registry, should they be removed from ikev2.h?
>
> Tobias
>
> [iana]
> https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-10
The only issue I see with this if RFC7296 includes requirements that
RFC 5996 doesn't have and iked has not implemented them.
Looking at RFC7296 section 1.8 this is not the case so OK claudio@
> Index: ca.c
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ca.c,v
> retrieving revision 1.46
> diff -u -p -u -r1.46 ca.c
> --- ca.c 30 Oct 2017 09:53:27 -0000 1.46
> +++ ca.c 27 Feb 2019 10:58:22 -0000
> @@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint
> * Generate a SHA-1 digest of the Subject Public Key Info
> * element in the X.509 certificate, an ASN.1 sequence
> * that includes the public key type (eg. RSA) and the
> - * public key value (see 3.7 of RFC4306).
> + * public key value (see 3.7 of RFC7296).
> */
> if ((pkey = X509_get_pubkey(x509)) == NULL)
> return (-1);
> Index: iked.8
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.8,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 iked.8
> --- iked.8 3 Jul 2018 13:37:11 -0000 1.21
> +++ iked.8 27 Feb 2019 10:27:19 -0000
> @@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daem
> authentication and which establishes and maintains IPsec flows and
> security associations (SAs) between the two peers.
> .Pp
> -The IKEv2 protocol is defined in RFC 5996,
> +The IKEv2 protocol is defined in RFC 7296,
> which combines and updates the previous standards:
> ISAKMP/Oakley (RFC 2408),
> IKE (RFC 2409),
> @@ -187,8 +187,9 @@ control socket.
> .%A P. Hoffman
> .%A Y. Nir
> .%A P. Eronen
> -.%D September 2010
> -.%R RFC 5996
> +.%A T. Kivinen
> +.%D October 2014
> +.%R RFC 7296
> .%T Internet Key Exchange Protocol Version 2 (IKEv2)
> .Re
> .Sh HISTORY
> Index: ikev2.c
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
> retrieving revision 1.167
> diff -u -p -u -r1.167 ikev2.c
> --- ikev2.c 26 Feb 2019 18:05:22 -0000 1.167
> +++ ikev2.c 27 Feb 2019 10:32:36 -0000
> @@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct i
> * (Ni | Nr) is used as a PRF key, otherwise a "key" buffer
> * is used and PRF is performed on the concatenation of DH
> * exchange result and nonces (g^ir | Ni | Nr). See sections
> - * 2.14 and 2.18 of RFC5996 for more information.
> + * 2.14 and 2.18 of RFC7296 for more information.
> */
>
> /*
> Index: ikev2.h
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.h,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 ikev2.h
> --- ikev2.h 3 Dec 2017 21:02:44 -0000 1.27
> +++ ikev2.h 27 Feb 2019 11:56:13 -0000
> @@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformt
>
> extern struct iked_constmap ikev2_xformencr_map[];
>
> -#define IKEV2_IPCOMP_OUI 1 /* RFC5996 */
> +#define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */
> #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */
> #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */
> #define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */
> @@ -283,38 +283,38 @@ struct ikev2_notify {
> /* Followed by variable length notification data */
> } __packed;
>
> -#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC4306 */
> -#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC4306 */
> -#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC4306 */
> -#define IKEV2_N_INVALID_SYNTAX 7 /* RFC4306 */
> -#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC4306 */
> -#define IKEV2_N_INVALID_SPI 11 /* RFC4306 */
> -#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC4306 */
> -#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC4306 */
> -#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC4306 */
> -#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC4306 */
> -#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC4306 */
> -#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC4306 */
> -#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC4306 */
> -#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC4306 */
> -#define IKEV2_N_INVALID_SELECTORS 39 /* RFC4306 */
> +#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */
> +#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC7296 */
> +#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */
> +#define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */
> +#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */
> +#define IKEV2_N_INVALID_SPI 11 /* RFC7296 */
> +#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC7296 */
> +#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC7296 */
> +#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC7296 */
> +#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC7296 */
> +#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC7296 */
> +#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC7296 */
> +#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC7296 */
> +#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC7296 */
> +#define IKEV2_N_INVALID_SELECTORS 39 /* RFC7296 */
> #define IKEV2_N_UNACCEPTABLE_ADDRESSES 40 /* RFC4555 */
> #define IKEV2_N_UNEXPECTED_NAT_DETECTED 41 /* RFC4555 */
> #define IKEV2_N_USE_ASSIGNED_HoA 42 /* RFC5026 */
> -#define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC5996 */
> -#define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC5996 */
> -#define IKEV2_N_INITIAL_CONTACT 16384 /* RFC4306 */
> -#define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC4306 */
> -#define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC4306 */
> -#define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC4306 */
> -#define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC4306 */
> -#define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC4306 */
> -#define IKEV2_N_COOKIE 16390 /* RFC4306 */
> -#define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC4306 */
> -#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC4306 */
> -#define IKEV2_N_REKEY_SA 16393 /* RFC4306 */
> -#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC4306 */
> -#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC4306 */
> +#define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC7296 */
> +#define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC7296 */
> +#define IKEV2_N_INITIAL_CONTACT 16384 /* RFC7296 */
> +#define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC7296 */
> +#define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC7296 */
> +#define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC7296 */
> +#define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC7296 */
> +#define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC7296 */
> +#define IKEV2_N_COOKIE 16390 /* RFC7296 */
> +#define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC7296 */
> +#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC7296 */
> +#define IKEV2_N_REKEY_SA 16393 /* RFC7296 */
> +#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC7296 */
> +#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC7296 */
> #define IKEV2_N_MOBIKE_SUPPORTED 16396 /* RFC4555 */
> #define IKEV2_N_ADDITIONAL_IP4_ADDRESS 16397 /* RFC4555 */
> #define IKEV2_N_ADDITIONAL_IP6_ADDRESS 16398 /* RFC4555 */
> @@ -334,8 +334,8 @@ struct ikev2_notify {
> #define IKEV2_N_TICKET_NACK 16412 /* RFC5723 */
> #define IKEV2_N_TICKET_OPAQUE 16413 /* RFC5723 */
> #define IKEV2_N_LINK_ID 16414 /* RFC5739 */
> -#define IKEV2_N_USE_WESP_MODE 16415 /*
> RFC-ietf-ipsecme-traffic-visibility-12.txt */
> -#define IKEV2_N_ROHC_SUPPORTED 16416 /*
> RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */
> +#define IKEV2_N_USE_WESP_MODE 16415 /* RFC5415 */
> +#define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC5857 */
> #define IKEV2_N_EAP_ONLY_AUTHENTICATION 16417 /* RFC5998 */
> #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED 16418 /* RFC6023 */
> #define IKEV2_N_QUICK_CRASH_DETECTION 16419 /* RFC6290 */
> @@ -375,13 +375,13 @@ struct ikev2_id {
> } __packed;
>
> #define IKEV2_ID_NONE 0 /* No ID */
> -#define IKEV2_ID_IPV4 1 /* RFC4306 (ID_IPV4_ADDR) */
> -#define IKEV2_ID_FQDN 2 /* RFC4306 */
> -#define IKEV2_ID_UFQDN 3 /* RFC4306 (ID_RFC822_ADDR) */
> -#define IKEV2_ID_IPV6 5 /* RFC4306 (ID_IPV6_ADDR) */
> -#define IKEV2_ID_ASN1_DN 9 /* RFC4306 */
> -#define IKEV2_ID_ASN1_GN 10 /* RFC4306 */
> -#define IKEV2_ID_KEY_ID 11 /* RFC4306 */
> +#define IKEV2_ID_IPV4 1 /* RFC7296 (ID_IPV4_ADDR) */
> +#define IKEV2_ID_FQDN 2 /* RFC7296 */
> +#define IKEV2_ID_UFQDN 3 /* RFC7296 (ID_RFC822_ADDR) */
> +#define IKEV2_ID_IPV6 5 /* RFC7296 (ID_IPV6_ADDR) */
> +#define IKEV2_ID_ASN1_DN 9 /* RFC7296 */
> +#define IKEV2_ID_ASN1_GN 10 /* RFC7296 */
> +#define IKEV2_ID_KEY_ID 11 /* RFC7296 */
> #define IKEV2_ID_FC_NAME 12 /* RFC4595 */
>
> extern struct iked_constmap ikev2_id_map[];
> @@ -396,18 +396,18 @@ struct ikev2_cert {
> } __packed;
>
> #define IKEV2_CERT_NONE 0 /* None */
> -#define IKEV2_CERT_X509_PKCS7 1 /* RFC4306 */
> -#define IKEV2_CERT_PGP 2 /* RFC4306 */
> -#define IKEV2_CERT_DNS_SIGNED_KEY 3 /* RFC4306 */
> -#define IKEV2_CERT_X509_CERT 4 /* RFC4306 */
> -#define IKEV2_CERT_KERBEROS_TOKEN 6 /* RFC4306 */
> -#define IKEV2_CERT_CRL 7 /* RFC4306 */
> -#define IKEV2_CERT_ARL 8 /* RFC4306 */
> -#define IKEV2_CERT_SPKI 9 /* RFC4306 */
> -#define IKEV2_CERT_X509_ATTR 10 /* RFC4306 */
> -#define IKEV2_CERT_RSA_KEY 11 /* RFC4306 */
> -#define IKEV2_CERT_HASHURL_X509 12 /* RFC4306 */
> -#define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC4306 */
> +#define IKEV2_CERT_X509_PKCS7 1 /* UNSPECIFIED */
> +#define IKEV2_CERT_PGP 2 /* UNSPECIFIED */
> +#define IKEV2_CERT_DNS_SIGNED_KEY 3 /* UNSPECIFIED */
> +#define IKEV2_CERT_X509_CERT 4 /* RFC7296 */
> +#define IKEV2_CERT_KERBEROS_TOKEN 6 /* UNSPECIFIED */
> +#define IKEV2_CERT_CRL 7 /* RFC7296 */
> +#define IKEV2_CERT_ARL 8 /* UNSPECIFIED */
> +#define IKEV2_CERT_SPKI 9 /* UNSPECIFIED */
> +#define IKEV2_CERT_X509_ATTR 10 /* UNSPECIFIED */
> +#define IKEV2_CERT_RSA_KEY 11 /* RFC7296 */
> +#define IKEV2_CERT_HASHURL_X509 12 /* RFC7296 */
> +#define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC7296 */
> #define IKEV2_CERT_OCSP 14 /* RFC4806 */
> /*
> * As of November 2014, work was still in progress to add a more generic
> @@ -436,8 +436,8 @@ struct ikev2_ts {
> uint16_t ts_endport; /* End port */
> } __packed;
>
> -#define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC4306 */
> -#define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC4306 */
> +#define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC7296 */
> +#define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC7296 */
> #define IKEV2_TS_FC_ADDR_RANGE 9 /* RFC4595 */
>
> extern struct iked_constmap ikev2_ts_map[];
> @@ -453,9 +453,9 @@ struct ikev2_auth {
> } __packed;
>
> #define IKEV2_AUTH_NONE 0 /* None */
> -#define IKEV2_AUTH_RSA_SIG 1 /* RFC4306 */
> -#define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC4306 */
> -#define IKEV2_AUTH_DSS_SIG 3 /* RFC4306 */
> +#define IKEV2_AUTH_RSA_SIG 1 /* RFC7296 */
> +#define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC7296 */
> +#define IKEV2_AUTH_DSS_SIG 3 /* RFC7296 */
> #define IKEV2_AUTH_ECDSA_256 9 /* RFC4754 */
> #define IKEV2_AUTH_ECDSA_384 10 /* RFC4754 */
> #define IKEV2_AUTH_ECDSA_521 11 /* RFC4754 */
> @@ -504,20 +504,20 @@ struct ikev2_cfg {
> /* Followed by variable-length data */
> } __packed;
>
> -#define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC7296 */
> #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY 5 /* RFC4306 */
> -#define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC5996 */
> -#define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC7296 */
> +#define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC7296 */
> #define IKEV2_CFG_INTERNAL_IP6_NBNS 11 /* RFC4306 */
> -#define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC5996 */
> -#define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC5996 */
> -#define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC5996 */
> +#define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC7296 */
> +#define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC7296 */
> +#define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC7296 */
> #define IKEV2_CFG_MIP6_HOME_PREFIX 16 /* RFC5026 */
> #define IKEV2_CFG_INTERNAL_IP6_LINK 17 /* RFC5739 */
> #define IKEV2_CFG_INTERNAL_IP6_PREFIX 18 /* RFC5739 */
>
--
:wq Claudio
