ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CRL checking when selecting a certifcate

Re: [IPsec] CRL checking when selecting a certifcate

From: Tero Kivinen <kivinen_at_nospam>
Date: Fri Sep 04 2009 - 08:54:17 GMT
To: David Wierbowski <wierbows@us.ibm.com>


David Wierbowski writes:
>
> Tero, thanks for the comments and the clarification on how to read a lower
> case must. I do have a few more comments.
>
> >So implementations cannot just search uppercase "MUST/SHOULD/MAY"
> >texts and assume it is enough to make sure those are correct. It also
> >needs to do what the text says...
> I think most implementers focus on the MUST and SHOULDs and then apply
> common sense to the remaining text.

I agree. I have done that myself too, and only noticed that this does not really help when the latest version of ikev2bis had following change (this is unrelated to current case, but it is more generic case):

Old text:


   The responder can be assured that the initiator is prepared to    receive messages on an SA if either (1) it has received a    cryptographically valid message on the new SA, or (2) the new SA    rekeys an existing SA and it receives an IKE request to close the    replaced SA. When rekeying an SA, the responder SHOULD continue to    send messages on the old SA until one of those events occurs.



New text:

   The responder can be assured that the initiator is prepared to    receive messages on an SA if either (1) it has received a    cryptographically valid message on the new SA, or (2) the new SA    rekeys an existing SA and it receives an IKE request to close the    replaced SA. When rekeying an SA, the responder continues to send    traffic on the old SA until one of those events occurs.


Earlier we knew that we didn't follow that SHOULD exactly, as we moved to use new SA either if old one was deleted or after short timeout. We knew this was against the SHOULD and changing it was on our todo list.

Now the new text does not say "SHOULD" anymore (it was removed, not lowercased), it just says you "continue to send traffic on the old SA" so effectually now it is MUST as it says you do that, you are not allowed to do anything else.

So when the text removed "SHOULD" it actually made the required behavior much stricter, and made our old implementations so they do not follow the given behavior (as this was in our todo list, we have already changed the code).

This is more generic thing than just CRLs (or rekey behavior), i.e. what does non-lowercase "do this" statement in the RFC really mean. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec