Hi, i went through the code and man pages and updated obsolete RFC references according to [iana].
The remaining mentions of RFC4306 are deprecated and listed as RESERVED in the current registry, should they be removed from ikev2.h? Tobias [iana] https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-10 Index: ca.c =================================================================== RCS file: /mount/openbsd/cvs/src/sbin/iked/ca.c,v retrieving revision 1.46 diff -u -p -u -r1.46 ca.c --- ca.c 30 Oct 2017 09:53:27 -0000 1.46 +++ ca.c 27 Feb 2019 10:58:22 -0000 @@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint * Generate a SHA-1 digest of the Subject Public Key Info * element in the X.509 certificate, an ASN.1 sequence * that includes the public key type (eg. RSA) and the - * public key value (see 3.7 of RFC4306). + * public key value (see 3.7 of RFC7296). */ if ((pkey = X509_get_pubkey(x509)) == NULL) return (-1); Index: iked.8 =================================================================== RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.8,v retrieving revision 1.21 diff -u -p -u -r1.21 iked.8 --- iked.8 3 Jul 2018 13:37:11 -0000 1.21 +++ iked.8 27 Feb 2019 10:27:19 -0000 @@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daem authentication and which establishes and maintains IPsec flows and security associations (SAs) between the two peers. .Pp -The IKEv2 protocol is defined in RFC 5996, +The IKEv2 protocol is defined in RFC 7296, which combines and updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), @@ -187,8 +187,9 @@ control socket. .%A P. Hoffman .%A Y. Nir .%A P. Eronen -.%D September 2010 -.%R RFC 5996 +.%A T. Kivinen +.%D October 2014 +.%R RFC 7296 .%T Internet Key Exchange Protocol Version 2 (IKEv2) .Re .Sh HISTORY Index: ikev2.c =================================================================== RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v retrieving revision 1.167 diff -u -p -u -r1.167 ikev2.c --- ikev2.c 26 Feb 2019 18:05:22 -0000 1.167 +++ ikev2.c 27 Feb 2019 10:32:36 -0000 @@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct i * (Ni | Nr) is used as a PRF key, otherwise a "key" buffer * is used and PRF is performed on the concatenation of DH * exchange result and nonces (g^ir | Ni | Nr). See sections - * 2.14 and 2.18 of RFC5996 for more information. + * 2.14 and 2.18 of RFC7296 for more information. */ /* Index: ikev2.h =================================================================== RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.h,v retrieving revision 1.27 diff -u -p -u -r1.27 ikev2.h --- ikev2.h 3 Dec 2017 21:02:44 -0000 1.27 +++ ikev2.h 27 Feb 2019 11:56:13 -0000 @@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformt extern struct iked_constmap ikev2_xformencr_map[]; -#define IKEV2_IPCOMP_OUI 1 /* RFC5996 */ +#define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */ #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */ #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */ #define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */ @@ -283,38 +283,38 @@ struct ikev2_notify { /* Followed by variable length notification data */ } __packed; -#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC4306 */ -#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC4306 */ -#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC4306 */ -#define IKEV2_N_INVALID_SYNTAX 7 /* RFC4306 */ -#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC4306 */ -#define IKEV2_N_INVALID_SPI 11 /* RFC4306 */ -#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC4306 */ -#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC4306 */ -#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC4306 */ -#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC4306 */ -#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC4306 */ -#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC4306 */ -#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC4306 */ -#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC4306 */ -#define IKEV2_N_INVALID_SELECTORS 39 /* RFC4306 */ +#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */ +#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC7296 */ +#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */ +#define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */ +#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */ +#define IKEV2_N_INVALID_SPI 11 /* RFC7296 */ +#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC7296 */ +#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC7296 */ +#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC7296 */ +#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC7296 */ +#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC7296 */ +#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC7296 */ +#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC7296 */ +#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC7296 */ +#define IKEV2_N_INVALID_SELECTORS 39 /* RFC7296 */ #define IKEV2_N_UNACCEPTABLE_ADDRESSES 40 /* RFC4555 */ #define IKEV2_N_UNEXPECTED_NAT_DETECTED 41 /* RFC4555 */ #define IKEV2_N_USE_ASSIGNED_HoA 42 /* RFC5026 */ -#define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC5996 */ -#define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC5996 */ -#define IKEV2_N_INITIAL_CONTACT 16384 /* RFC4306 */ -#define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC4306 */ -#define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC4306 */ -#define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC4306 */ -#define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC4306 */ -#define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC4306 */ -#define IKEV2_N_COOKIE 16390 /* RFC4306 */ -#define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC4306 */ -#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC4306 */ -#define IKEV2_N_REKEY_SA 16393 /* RFC4306 */ -#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC4306 */ -#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC4306 */ +#define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC7296 */ +#define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC7296 */ +#define IKEV2_N_INITIAL_CONTACT 16384 /* RFC7296 */ +#define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC7296 */ +#define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC7296 */ +#define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC7296 */ +#define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC7296 */ +#define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC7296 */ +#define IKEV2_N_COOKIE 16390 /* RFC7296 */ +#define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC7296 */ +#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC7296 */ +#define IKEV2_N_REKEY_SA 16393 /* RFC7296 */ +#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC7296 */ +#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC7296 */ #define IKEV2_N_MOBIKE_SUPPORTED 16396 /* RFC4555 */ #define IKEV2_N_ADDITIONAL_IP4_ADDRESS 16397 /* RFC4555 */ #define IKEV2_N_ADDITIONAL_IP6_ADDRESS 16398 /* RFC4555 */ @@ -334,8 +334,8 @@ struct ikev2_notify { #define IKEV2_N_TICKET_NACK 16412 /* RFC5723 */ #define IKEV2_N_TICKET_OPAQUE 16413 /* RFC5723 */ #define IKEV2_N_LINK_ID 16414 /* RFC5739 */ -#define IKEV2_N_USE_WESP_MODE 16415 /* RFC-ietf-ipsecme-traffic-visibility-12.txt */ -#define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */ +#define IKEV2_N_USE_WESP_MODE 16415 /* RFC5415 */ +#define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC5857 */ #define IKEV2_N_EAP_ONLY_AUTHENTICATION 16417 /* RFC5998 */ #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED 16418 /* RFC6023 */ #define IKEV2_N_QUICK_CRASH_DETECTION 16419 /* RFC6290 */ @@ -375,13 +375,13 @@ struct ikev2_id { } __packed; #define IKEV2_ID_NONE 0 /* No ID */ -#define IKEV2_ID_IPV4 1 /* RFC4306 (ID_IPV4_ADDR) */ -#define IKEV2_ID_FQDN 2 /* RFC4306 */ -#define IKEV2_ID_UFQDN 3 /* RFC4306 (ID_RFC822_ADDR) */ -#define IKEV2_ID_IPV6 5 /* RFC4306 (ID_IPV6_ADDR) */ -#define IKEV2_ID_ASN1_DN 9 /* RFC4306 */ -#define IKEV2_ID_ASN1_GN 10 /* RFC4306 */ -#define IKEV2_ID_KEY_ID 11 /* RFC4306 */ +#define IKEV2_ID_IPV4 1 /* RFC7296 (ID_IPV4_ADDR) */ +#define IKEV2_ID_FQDN 2 /* RFC7296 */ +#define IKEV2_ID_UFQDN 3 /* RFC7296 (ID_RFC822_ADDR) */ +#define IKEV2_ID_IPV6 5 /* RFC7296 (ID_IPV6_ADDR) */ +#define IKEV2_ID_ASN1_DN 9 /* RFC7296 */ +#define IKEV2_ID_ASN1_GN 10 /* RFC7296 */ +#define IKEV2_ID_KEY_ID 11 /* RFC7296 */ #define IKEV2_ID_FC_NAME 12 /* RFC4595 */ extern struct iked_constmap ikev2_id_map[]; @@ -396,18 +396,18 @@ struct ikev2_cert { } __packed; #define IKEV2_CERT_NONE 0 /* None */ -#define IKEV2_CERT_X509_PKCS7 1 /* RFC4306 */ -#define IKEV2_CERT_PGP 2 /* RFC4306 */ -#define IKEV2_CERT_DNS_SIGNED_KEY 3 /* RFC4306 */ -#define IKEV2_CERT_X509_CERT 4 /* RFC4306 */ -#define IKEV2_CERT_KERBEROS_TOKEN 6 /* RFC4306 */ -#define IKEV2_CERT_CRL 7 /* RFC4306 */ -#define IKEV2_CERT_ARL 8 /* RFC4306 */ -#define IKEV2_CERT_SPKI 9 /* RFC4306 */ -#define IKEV2_CERT_X509_ATTR 10 /* RFC4306 */ -#define IKEV2_CERT_RSA_KEY 11 /* RFC4306 */ -#define IKEV2_CERT_HASHURL_X509 12 /* RFC4306 */ -#define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC4306 */ +#define IKEV2_CERT_X509_PKCS7 1 /* UNSPECIFIED */ +#define IKEV2_CERT_PGP 2 /* UNSPECIFIED */ +#define IKEV2_CERT_DNS_SIGNED_KEY 3 /* UNSPECIFIED */ +#define IKEV2_CERT_X509_CERT 4 /* RFC7296 */ +#define IKEV2_CERT_KERBEROS_TOKEN 6 /* UNSPECIFIED */ +#define IKEV2_CERT_CRL 7 /* RFC7296 */ +#define IKEV2_CERT_ARL 8 /* UNSPECIFIED */ +#define IKEV2_CERT_SPKI 9 /* UNSPECIFIED */ +#define IKEV2_CERT_X509_ATTR 10 /* UNSPECIFIED */ +#define IKEV2_CERT_RSA_KEY 11 /* RFC7296 */ +#define IKEV2_CERT_HASHURL_X509 12 /* RFC7296 */ +#define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC7296 */ #define IKEV2_CERT_OCSP 14 /* RFC4806 */ /* * As of November 2014, work was still in progress to add a more generic @@ -436,8 +436,8 @@ struct ikev2_ts { uint16_t ts_endport; /* End port */ } __packed; -#define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC4306 */ -#define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC4306 */ +#define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC7296 */ +#define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC7296 */ #define IKEV2_TS_FC_ADDR_RANGE 9 /* RFC4595 */ extern struct iked_constmap ikev2_ts_map[]; @@ -453,9 +453,9 @@ struct ikev2_auth { } __packed; #define IKEV2_AUTH_NONE 0 /* None */ -#define IKEV2_AUTH_RSA_SIG 1 /* RFC4306 */ -#define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC4306 */ -#define IKEV2_AUTH_DSS_SIG 3 /* RFC4306 */ +#define IKEV2_AUTH_RSA_SIG 1 /* RFC7296 */ +#define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC7296 */ +#define IKEV2_AUTH_DSS_SIG 3 /* RFC7296 */ #define IKEV2_AUTH_ECDSA_256 9 /* RFC4754 */ #define IKEV2_AUTH_ECDSA_384 10 /* RFC4754 */ #define IKEV2_AUTH_ECDSA_521 11 /* RFC4754 */ @@ -504,20 +504,20 @@ struct ikev2_cfg { /* Followed by variable-length data */ } __packed; -#define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC5996 */ +#define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC7296 */ #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY 5 /* RFC4306 */ -#define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC5996 */ -#define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC5996 */ +#define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC7296 */ +#define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC7296 */ #define IKEV2_CFG_INTERNAL_IP6_NBNS 11 /* RFC4306 */ -#define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC5996 */ -#define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC5996 */ -#define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC5996 */ +#define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC7296 */ +#define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC7296 */ +#define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC7296 */ #define IKEV2_CFG_MIP6_HOME_PREFIX 16 /* RFC5026 */ #define IKEV2_CFG_INTERNAL_IP6_LINK 17 /* RFC5739 */ #define IKEV2_CFG_INTERNAL_IP6_PREFIX 18 /* RFC5739 */
