RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 7 records.

Status: Verified (2)

RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005

Source of RFC: ipsec (sec)

Errata ID: 133

Status: Verified
Type: Technical

Reported By: Vishwas Manral
Date Reported: 2006-01-12

Section 3.3.4 says:

   NOTE: For IPv6 -- For bump-in-the-stack and bump-in-the-wire
   implementations, it will be necessary to examine all the extension
   headers to determine if there is a fragmentation header and hence
   that the packet needs reassembling prior to IPsec processing.

It should say:

   NOTE: For IPv6 -- For bump-in-the-stack and bump-in-the-wire
   implementations, it will be necessary to examine all the extension
   headers to determine if there is a fragmentation header, and either
   the More flag or the Fragment Offset is non-zero. If so that packet
   needs reassembling prior to IPsec processing.

Errata ID: 1654

Status: Verified
Type: Technical

Reported By: Nikolai Malykh
Date Reported: 2009-01-16
Verifier Name: Pasi Eronen
Date Verified: 2009-06-18

Section 3.4.4.1 says:

Implementation Note:

            Implementations can use any set of steps that results in the
            same result as the following set of steps.  Begin by
            removing and saving the ICV field.  Next check the overall
            length of the ESP packet minus the ICV field.  If implicit
            padding is required, based on the block size of the
            integrity algorithm, append zero-filled bytes to the end of
            the ESP packet directly after the Next Header field, or
            after the high-order 32 bits of the sequence number if ESN
            is selected.  Perform the ICV computation and compare the
            result with the saved value, using the comparison rules
            defined by the algorithm specification.

It should say:

Implementation Note:

            Implementations can use any set of steps that results in the
            same result as the following set of steps.  Begin by
            removing and saving the ICV field.  Next check the overall
            length of the ESP packet minus the ICV field.  If implicit
            padding is required, based on the block size of the
            integrity algorithm, append padding bytes (according integrity 
            algorithm specification, see Section 3.3.2.1) to the end of
            the ESP packet directly after the Next Header field, or
            after the high-order 32 bits of the sequence number if ESN
            is selected.  Perform the ICV computation and compare the
            result with the saved value, using the comparison rules
            defined by the algorithm specification.

Notes:

(confirmed by Stephen Kent)

Status: Reported (2)

RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005

Source of RFC: ipsec (sec)

Errata ID: 4798

Status: Reported
Type: Editorial

Reported By: Antonios Atlasis
Date Reported: 2016-09-09

Section 2 says:

         * If tunnel mode is being used, then the IPsec implementation
           can add Traffic Flow Confidentiality (TFC) padding (see
           Section 2.4)  after the Payload Data and before the Padding
           (0-255 bytes) field.

It should say:

         * If tunnel mode is being used, then the IPsec implementation
           can add Traffic Flow Confidentiality (TFC) padding (see
           Section 2.7)  after the Payload Data and before the Padding
           (0-255 bytes) field.

Notes:

Section 2.4 refers to padding for Encryption. It is section 2.7 which refers to Traffic Flow Confidentiality (TFC) Padding

Errata ID: 4799

Status: Reported
Type: Editorial

Reported By: Antonios Atlasis
Date Reported: 2016-09-09

Section 2.6 says:

   To facilitate the rapid generation and discarding of the padding
   traffic in support of traffic flow confidentiality (see Section 2.4),
   the protocol value 59 (which means "no next header") MUST be used to
   designate a "dummy" packet.

It should say:

   To facilitate the rapid generation and discarding of the padding
   traffic in support of traffic flow confidentiality (see Section 2.7),
   the protocol value 59 (which means "no next header") MUST be used to
   designate a "dummy" packet.

Notes:

Section 2.4 refers to padding for Encryption. It is section 2.7 which refers to Traffic Flow Confidentiality (TFC) Padding.

Status: Held for Document Update (3)

RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005

Source of RFC: ipsec (sec)

Errata ID: 3876

Status: Held for Document Update
Type: Technical

Reported By: Yaron Sheffer
Date Reported: 2014-01-31
Held for Document Update by: Stephen Farrell
Date Held: 2014-05-08

Section Introduction says:

Using encryption-only for confidentiality is allowed by ESP. However, it
should be noted that in general, this will provide defense only against
passive attackers.  Using encryption without a strong integrity
mechanism on top of it (either in ESP or separately via AH) may render
the confidentiality service insecure against some forms of active
attacks [Bel96, Kra01].  Moreover, an underlying integrity service, such
as AH, applied before encryption does not necessarily protect the
encryption-only confidentiality against active attackers [Kra01]. ESP
allows encryption-only SAs because this may offer considerably better
performance and still provide adequate security, e.g., when higher-layer
authentication/integrity protection is offered independently. However,
this standard does not require ESP implementations to offer an
encryption-only service.

It should say:

Using encryption-only for confidentiality is allowed by ESP.
However, it should be noted that in general, this will provide defense
only against passive attackers.  Using encryption without a strong
integrity mechanism on top of it (either in ESP or separately via AH)
may render the confidentiality service insecure against some forms of
active attacks [Bel96, Kra01, DP07].  Moreover, applying AH
before encryption does not protect the encryption-only
confidentiality against active attackers [DP10]. ESP
allows encryption-only SAs primarily for compatibility with older
implementations, and because this may offer better performance.
It is noted (and has been demonstrated, e.g. in [DP07]) that
ESP in this mode does not provide adequate security even when
higher-layer authentication/integrity protection is offered
independently. This standard does not require ESP implementations to
offer an encryption-only service.

[DP07] Jean Paul Degabriele and Kenneth G. Paterson, Attacking the
IPsec Standards in Encryption-only Configurations, IACR 2007/125.

[DP10] Jean Paul Degabriele and Kenneth G. Paterson: On the
(in)security of IPsec in MAC-then-encrypt configurations.
ACM Conference on Computer and Communications Security 2010:
493-504. 

Notes:

The existing text asserts that ESP in encryption-only mode can in some cases provide "adequate security", even though the sense of the paragraph is in general against it. A series of papers published subsequently to the RFC demonstrate that this assertion is incorrect: active attackers can defeat the confidentiality guarantees, and such attacks are practical.

Errata ID: 721

Status: Held for Document Update
Type: Editorial

Reported By: Alfred Hoenes
Date Reported: 2006-03-01
Held for Document Update by: Pasi Eronen
Date Held: 2010-03-11

 

(1)

Section 2.1 of RFC 4303 re-states a lot of material from the
IPsec Architecture document, RFC 4301, without being able to
present all the details.  SPI selection has become a quite
complicated procedure with subtle details, which all can be
found in RFC 4301.

IMHO, it would have been very much preferrable to replace most
of the text in section 2.1 by a short referral to RFC 4301.
Any replication of specification entails the danger of
inconsistencies and raises the question of "truth weight"
for the concurring specifications; it is better to avoid
such "races" from the beginning.

This same issue applies to section 2.4 of RFC 2402. (By accident,
I have forgotten to mention it in my comments on that document.)

More concretely, I would have preferred the replacement of the
second up to the second-to-last paragraph of section 2.1 of RFC 4303,
on pages 10/11,

  For a unicast SA, the SPI can be used by itself to specify an SA, or
  it may be used in conjunction with the IPsec protocol type (in this
  ...

  ...
  ...
  ...

  ...
  multicast address, and source address.  An Any-Source Multicast group
  SA requires only an SPI and a destination multicast address as an
  identifier.

by a short note, e.g.

  All implementations of ESP MUST support the Security Association
  Database (SAD) as specified in the IPsec Archtecture document
  [Ken-Arch] and the SA lookup procedures for unicast traffic
  specified therein.  ESP implementations SHOULD support extensions
  to the SAD and the SA lookup procedures specified in documents
  amending [Ken-Arch], e.g. for multicast traffic or mobility support,
  if they intend to provide ESP support for such scenarios.

A similar change would be applicable to RFC 4302, section 2.4,
pages 6/7.


(2)

In section 3.4.3, on the lower half of page 29, RFC 4303 says:

                                                    [...].  In either
   case, if the integrity check fails, the receiver MUST discard the
   received IP datagram as invalid; this is an auditable event.  The
   audit log entry for this event SHOULD include the SPI value,
   [...]

Because the audit log details are in a separate sentence, the logical
hierarchy implied by using one semicolon and one full stop is brocken.
It would have been better to say:
                                                    [...].  In either
   case, if the integrity check fails, the receiver MUST discard the
|  received IP datagram as invalid.  This is an auditable event.  The
   audit log entry for this event SHOULD include the SPI value,
   [...]

Similar punctuation already is used in many places of the RFC.


(3)

As mentioned in section 7, section 3.4 has been reorganized from
RFC 2406.
During that process, the perhaps most important part of ESP inbound
packet processing has disappeared from the section headlines:
decryption !

To cover what's inside, and to make that locatable in the ToC,
perhaps the section headline,

 3.4.4.  Integrity Check Value Verification

on page 30, and in the ToC, should be modified to read:

 3.4.4.  Integrity Check Value Verification and Payload Decryption

I would like to recommend that you submit an RFC Errata Note to
catch this issue.


(4)

In section 3.4.4.2, the same issue as (2) above also applies to
the item numbered "2." on page 32.


(5)  References

RFC 4306 repeatedly refers to its predecessor, RFC 2406, but it omits
giving a formal (Informative) Reference to that document in Section
10.2 on page 37.

Perhaps it would also have been worth noting that a *full* version
of the research paper [Kra01] can be found on IACR ePrint, document
2001/040.


(6)  Appendix A

As mentioned in my comments on RFC 4302, this appendix is the more
complete and hence preferrable text compared to App. B of RFC 4302.
There is one exception:
The formatting of tha last part of A2.1 ia less pleasant.
To enhance readability, it is always preferrable not to break
simple expressions apart by line breaks, whenever possible.  In
this case, simple relational expressions are broken into 2 lines.

RFC 4303, on page 40, says:

   In checking for replayed packets,

      + Under Case A: If Seql >= Bl (where Bl = Tl - W + 1) AND Seql <=
        Tl, then check the corresponding bit in the window to see if
        this Seql has already been seen.  If yes, reject the packet.  If
        no, perform integrity check (see Appendix A2.2. below for
        determination of Seqh).

      + Under Case B: If Seql >= Bl (where Bl = Tl - W + 1) OR Seql <=
        Tl, then check the corresponding bit in the window to see if
        this Seql has already been seen.  If yes, reject the packet.  If
        no, perform integrity check (see Appendix A2.2. below for
        determination of Seqh).

The formatting in RFC 4302 of the same text (with the already
mentioned typo there corrected, and the Appendix name adapted),
is better:

   In checking for replayed packets,

      + Under Case A: If Seql >= Bl (where Bl = Tl - W + 1) AND
        Seql <= Tl, then check the corresponding bit in the window to
        see if this Seql has already been seen.  If yes, reject the
        packet.  If no, perform integrity check (see Appendix A2.2
        below for determination of Seqh).

      + Under Case B: If Seql >= Bl (where Bl = Tl - W + 1) OR
        Seql <= Tl, then check the corresponding bit in the window to
        see if this Seql has already been seen.  If yes, reject the
        packet.  If no, perform integrity check (see Appendix A2.2
        below for determination of Seqh).

But I would even have preferred this formatting:

   In checking for replayed packets,

      + Under Case A:
        If Seql >= Bl (where Bl = Tl - W + 1) AND Seql <= Tl,
        then check the corresponding bit in the window to see if this
        Seql has already been seen.  If yes, reject the packet.
        If no, perform integrity check (see Appendix A2.2 below for
        determination of Seqh).

      + Under Case B:
        If Seql >= Bl (where Bl = Tl - W + 1) OR Seql <= Tl,
        then check the corresponding bit in the window to see if this
        Seql has already been seen.  If yes, reject the packet.
        If no, perform integrity check (see Appendix A2.2 below for
        determination of Seqh).

It should say:

[see above]

Notes:

from pending

Errata ID: 859

Status: Held for Document Update
Type: Editorial

Reported By: Alfred Hoenes
Date Reported: 2006-03-01
Held for Document Update by: Pasi Eronen

 

The 'version numbering' issue (as reported as item (6) for RFC 4302)

I would have appreciated the introduction of an explicit version
numbering for ESP, e.g. rename:
      ESP as per RFC 1827  to  ESPv1,
      ESP as per RFC 2406  to  ESPv2  or  ESPv2.0,   and
      ESP as per RFC 4303  to  ESPv3  or  ESPv2.1
(or similar).

This would make it easier to specify / identify versions and/or
version specific behaviour in implementations, without having
to refer to the RFC numbers explicitely. (Similar numbering has
proven very useful with protocols like BGP, SNMP, IMAP, POP, etc.)

Notes:

from pending

Report New Errata