Hi I believe this report should be rejected. The address returned in the INTERNAL_IP6_ADDRESS attribute is not a /64 subnet, it is just one address. The fact that it belongs to a /64 subnet is besides the point, and in fact the TSi payload in both the original and corrected versions contains but one address.
There is no requirement that TSi and TSr have the same subnet size, and in fact the selectors shown in the example are rather common for remote access. The client has but one address, while the gateway might as well protect the Internet. This kind of universal tunnel is very convenient, and even more so when the client does not have prior knowledge of the protected domain behind the gateway. Yoav On Sep 4, 2013, at 9:23 PM, RFC Errata System <rfc-edi...@rfc-editor.org> wrote: > The following errata report has been submitted for RFC5996, > "Internet Key Exchange Protocol Version 2 (IKEv2)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=5996&eid=3718 > > -------------------------------------- > Type: Technical > Reported by: Gerald Smith <gsm...@sta.samsung.com> > > Section: 3.15.3 > > Original Text > ------------- > A client can be assigned an IPv6 address using the > INTERNAL_IP6_ADDRESS Configuration payload. A minimal exchange might > look like this: > > CP(CFG_REQUEST) = > INTERNAL_IP6_ADDRESS() > INTERNAL_IP6_DNS() > TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) > TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) > > CP(CFG_REPLY) = > INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64) > INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44) > TSi = (0, 0-65535, 2001:DB8:0:1:2:3:4:5 - 2001:DB8:0:1:2:3:4:5) > TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) > > Corrected Text > -------------- > CP(CFG_REPLY) = > INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64) > INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44) > TSi = (0, 0-65535, 2001:DB8:0:1:2:3:4:5 - 2001:DB8:0:1:2:3:4:5) > TSr = (0, 0-65535, 2001:DB8:0:1:: - 2001:DB8:0:1:FFFF:FFFF:FFFF:FFFF) > > Notes > ----- > The INTERNAL_IP6_ADDRESS returned in the CFG_REPLY is a 64 bit subnet, but > the TSr returned in the CFG_REPLY shows a 0 bit subnet instead of the 64 bit > subnet. > > Instructions: > ------------- > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC5996 (draft-ietf-ipsecme-ikev2bis-11) > -------------------------------------- > Title : Internet Key Exchange Protocol Version 2 (IKEv2) > Publication Date : September 2010 > Author(s) : C. Kaufman, P. Hoffman, Y. Nir, P. Eronen > Category : PROPOSED STANDARD > Source : IP Security Maintenance and Extensions > Area : Security > Stream : IETF > Verifying Party : IESG > > Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
