RFC 7296, "Internet Key Exchange Protocol Version 2 (IKEv2)", October 2014Source of RFC: ipsecme (sec)
Errata ID: 5056
Reported By: Michael Taylor
Date Reported: 2017-06-29
Section 1.7 says:
This document removes discussion of the INTERNAL_ADDRESS_EXPIRY configuration attribute because its implementation was very problematic. Implementations that conform to this document MUST ignore proposals that have configuration attribute type 5, the old value for INTERNAL_ADDRESS_EXPIRY
It should say:
Unclear what it should be
Configuration attribute 5, INTERNAL_ADDRESS_EXPIRY, is a type of attribute in a configuration payload. It is not an attribute in a proposal. As documented in Section 2.7 proposals are part of an SA payload.
An SA payload consists of one or more proposals. Each proposal
includes one protocol. Each protocol contains one or more transforms
-- each specifying a cryptographic algorithm. Each transform
contains zero or more attributes (attributes are needed only if the
Transform ID does not completely specify the cryptographic
So the correct behavior when one receives a *configuration* payload with INTERNAL_ADDRESS_EXPIRY cannot be to ignore a proposal. Was the intent to say that the configuration payload should be ignored? Was the intent to say that the configuration payload should be processed but the INTERNAL_ADDRESS_EXPIRY attribute ignored? Clearly these choices would result in radically different outcomes for the negotiation.