RFC Errata
RFC 4301, "Security Architecture for the Internet Protocol", December 2005
Note: This RFC has been updated by RFC 6040, RFC 7619
Source of RFC: ipsec (sec)
Errata ID: 4709
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Phillip H. Griffin
Date Reported: 2016-06-14
Date Rejected: 2023-08-02
Section Appendix C says:
In the ASN.1 module for this RFC, the following errors prevented syntax checking and compilation for programming language code generation: 1. Changed "DEFINITIONS IMPLICIT TAGS = BEGIN" to "DEFINITIONS IMPLICIT TAGS ::= BEGIN" 2. Changed "SPD = SEQUENCE OF SPDEntry" to "SPD ::= SEQUENCE OF SPDEntry" 3. Changed "parameters ANY -- DEFINED BY algorithm } -- defined outside" to "parameters ANY } -- defined outside" 4. Changed "SPDEntry = CHOICE" to "SPDEntry := CHOICE" 5. Changed "IPsecEntry = SEQUENCE" to "IPsecEntry ::= SEQUENCE" 6. Changed "BypassOrDiscardEntry = SEQUENCE" to "BypassOrDiscardEntry ::= SEQUENCE" 7. Changed "InOutBound = CHOICE" to "InOutBound ::= CHOICE" 8. Changed "iso(1) org (3) dod (6)" to "iso(1) identified-organization (3) dod (6)" A correct ASN.1 module follows in the "Corrected Text" field.
It should say:
SPDModule { iso(1) identified-organization (3) dod (6) internet (1) security (5) mechanisms (5) ipsec (8) asn1-modules (3) spd-module (1) } DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS RDNSequence FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }; -- An SPD is a list of policies in decreasing order of preference SPD ::= SEQUENCE OF SPDEntry SPDEntry ::= CHOICE { iPsecEntry IPsecEntry, -- PROTECT traffic bypassOrDiscard [0] BypassOrDiscardEntry } -- DISCARDBYPASS IPsecEntry ::= SEQUENCE { -- Each entry consists of name NameSets OPTIONAL, pFPs PacketFlags, -- Populate from packet flags -- Applies to ALL of the corresponding -- traffic selectors in the SelectorLists condition SelectorLists, -- Policy condition processing Processing -- Policy action } BypassOrDiscardEntry ::= SEQUENCE { bypass BOOLEAN, -- TRUE BYPASS, FALSE DISCARD condition InOutBound } InOutBound ::= CHOICE { outbound [0] SelectorLists, inbound [1] SelectorLists, bothways [2] BothWays } BothWays ::= SEQUENCE { inbound SelectorLists, outbound SelectorLists } NameSets ::= SEQUENCE { passed SET OF Names-R, -- Matched to IKE ID by -- responder local SET OF Names-I } -- Used internally by IKE -- initiator Names-R ::= CHOICE { -- IKEv2 IDs dName RDNSequence, -- ID_DER_ASN1_DN fqdn FQDN, -- ID_FQDN rfc822 [0] RFC822Name, -- ID_RFC822_ADDR keyID OCTET STRING } -- KEY_ID Names-I ::= OCTET STRING -- Used internally by IKE -- initiator FQDN ::= IA5String RFC822Name ::= IA5String PacketFlags ::= BIT STRING { -- if set, take selector value from packet -- establishing SA -- else use value in SPD entry localAddr (0), remoteAddr (1), protocol (2), localPort (3), remotePort (4) } SelectorLists ::= SET OF SelectorList SelectorList ::= SEQUENCE { localAddr AddrList, remoteAddr AddrList, protocol ProtocolChoice } Processing ::= SEQUENCE { extSeqNum BOOLEAN, -- TRUE 64 bit counter, FALSE 32 bit seqOverflow BOOLEAN, -- TRUE rekey, FALSE terminate & audit fragCheck BOOLEAN, -- TRUE stateful fragment checking, -- FALSE no stateful fragment checking lifetime SALifetime, spi ManualSPI, algorithms ProcessingAlgs, tunnel TunnelOptions OPTIONAL } -- if absent, use -- transport mode SALifetime ::= SEQUENCE { seconds [0] INTEGER OPTIONAL, bytes [1] INTEGER OPTIONAL } ManualSPI ::= SEQUENCE { spi INTEGER, keys KeyIDs } KeyIDs ::= SEQUENCE OF OCTET STRING ProcessingAlgs ::= CHOICE { ah [0] IntegrityAlgs, -- AH esp [1] ESPAlgs} -- ESP ESPAlgs ::= CHOICE { integrity [0] IntegrityAlgs, -- integrity only confidentiality [1] ConfidentialityAlgs, -- confidentiality -- only both [2] IntegrityConfidentialityAlgs, combined [3] CombinedModeAlgs } IntegrityConfidentialityAlgs ::= SEQUENCE { integrity IntegrityAlgs, confidentiality ConfidentialityAlgs } -- Integrity Algorithms, ordered by decreasing preference IntegrityAlgs ::= SEQUENCE OF IntegrityAlg -- Confidentiality Algorithms, ordered by decreasing preference ConfidentialityAlgs ::= SEQUENCE OF ConfidentialityAlg -- Integrity Algorithms IntegrityAlg ::= SEQUENCE { algorithm IntegrityAlgType, parameters ANY -- DEFINED BY algorithm -- OPTIONAL } IntegrityAlgType ::= INTEGER { none (0), auth-HMAC-MD5-96 (1), auth-HMAC-SHA1-96 (2), auth-DES-MAC (3), auth-KPDK-MD5 (4), auth-AES-XCBC-96 (5) -- tbd (6..65535) } -- Confidentiality Algorithms ConfidentialityAlg ::= SEQUENCE { algorithm ConfidentialityAlgType, parameters ANY -- DEFINED BY algorithm -- OPTIONAL } ConfidentialityAlgType ::= INTEGER { encr-DES-IV64 (1), encr-DES (2), encr-3DES (3), encr-RC5 (4), encr-IDEA (5), encr-CAST (6), encr-BLOWFISH (7), encr-3IDEA (8), encr-DES-IV32 (9), encr-RC4 (10), encr-NULL (11), encr-AES-CBC (12), encr-AES-CTR (13) -- tbd (14..65535) } CombinedModeAlgs ::= SEQUENCE OF CombinedModeAlg CombinedModeAlg ::= SEQUENCE { algorithm CombinedModeType, parameters ANY } -- defined outside -- of this document for AES modes. CombinedModeType ::= INTEGER { comb-AES-CCM (1), comb-AES-GCM (2) -- tbd (3..65535) } TunnelOptions ::= SEQUENCE { dscp DSCP, ecn BOOLEAN, -- TRUE Copy CE to inner header df DF, addresses TunnelAddresses } TunnelAddresses ::= CHOICE { ipv4 IPv4Pair, ipv6 [0] IPv6Pair } IPv4Pair ::= SEQUENCE { local OCTET STRING (SIZE(4)), remote OCTET STRING (SIZE(4)) } IPv6Pair ::= SEQUENCE { local OCTET STRING (SIZE(16)), remote OCTET STRING (SIZE(16)) } DSCP ::= SEQUENCE { copy BOOLEAN, -- TRUE copy from inner header -- FALSE do not copy mapping OCTET STRING OPTIONAL} -- points to table -- if no copy DF ::= INTEGER { clear (0), set (1), copy (2) } ProtocolChoice::= CHOICE { anyProt AnyProtocol, -- for ANY protocol noNext [0] NoNextLayerProtocol, -- has no next layer -- items oneNext [1] OneNextLayerProtocol, -- has one next layer -- item twoNext [2] TwoNextLayerProtocol, -- has two next layer -- items fragment FragmentNoNext } -- has no next layer -- info AnyProtocol ::= SEQUENCE { id INTEGER (0), -- ANY protocol nextLayer AnyNextLayers } AnyNextLayers ::= SEQUENCE { -- with either first AnyNextLayer, -- ANY next layer selector second AnyNextLayer } -- ANY next layer selector NoNextLayerProtocol ::= INTEGER (2..254) FragmentNoNext ::= INTEGER (44) -- Fragment identifier OneNextLayerProtocol ::= SEQUENCE { id INTEGER (1..254), -- ICMP, MH, ICMPv6 nextLayer NextLayerChoice } -- ICMP Type*256+Code -- MH Type*256 TwoNextLayerProtocol ::= SEQUENCE { id INTEGER (2..254), -- Protocol local NextLayerChoice, -- Local and remote NextLayerChoice } -- Remote ports NextLayerChoice ::= CHOICE { any AnyNextLayer, opaque [0] OpaqueNextLayer, range [1] NextLayerRange } -- Representation of ANY in next layer field AnyNextLayer ::= SEQUENCE { start INTEGER (0), end INTEGER (65535) } -- Representation of OPAQUE in next layer field. -- Matches IKE convention OpaqueNextLayer ::= SEQUENCE { start INTEGER (65535), end INTEGER (0) } -- Range for a next layer field NextLayerRange ::= SEQUENCE { start INTEGER (0..65535), end INTEGER (0..65535) } -- List of IP addresses AddrList ::= SEQUENCE { v4List IPv4List OPTIONAL, v6List [0] IPv6List OPTIONAL } -- IPv4 address representations IPv4List ::= SEQUENCE OF IPv4Range IPv4Range ::= SEQUENCE { -- close, but not quite right ... ipv4Start OCTET STRING (SIZE (4)), ipv4End OCTET STRING (SIZE (4)) } -- IPv6 address representations IPv6List ::= SEQUENCE OF IPv6Range IPv6Range ::= SEQUENCE { -- close, but not quite right ... ipv6Start OCTET STRING (SIZE (16)), ipv6End OCTET STRING (SIZE (16)) } END
Notes:
Note that I included an ASN.1 module stub to resolve an imported value in the module.
PKIX1Explicit88 {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)
}
DEFINITIONS EXPLICIT TAGS ::= BEGIN
RDNSequence ::= SEQUENCE {}
END -- PKIX1Explicit88 --
--VERIFIER NOTES--
This is for RFC4301 and tries to fix the ASN.1 in Appendix C.
The proposed changes uses lines which are not part of the
RFC4301, i.e., the "=" -> "::=" that are listed as needed to
be done, are already "::=" in the RFC4301.
The only other proposed changes are to remove
"-- DEFINED BY algorithm" from one location, but it
leaves it in in few other places. It also proposes to change
iso(1) org (3) dod (6)" to "iso(1) identified-organization (3)
dod (6) which might be correct, but is not needed.