Re: [Gen-art] Review: draft-mglt-ipsecme-clone-ike-sa-05.txt

Jari Arkko <> Thu, 03 December 2015 12:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 401211B3469; Thu, 3 Dec 2015 04:18:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.39
X-Spam-Status: No, score=0.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_SIDE=2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VkkCRJIIwTxF; Thu, 3 Dec 2015 04:18:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6C56F1A88CF; Thu, 3 Dec 2015 04:18:55 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCFC92CC5D; Thu, 3 Dec 2015 14:18:54 +0200 (EET) (envelope-from
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DrnDCmdBRP65; Thu, 3 Dec 2015 14:18:54 +0200 (EET)
Received: from [] ( [IPv6:2a00:1d50:2::130]) by (Postfix) with ESMTP id D153D2CC5C; Thu, 3 Dec 2015 14:18:53 +0200 (EET) (envelope-from
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_25742974-06B2-47CF-A2F0-CA4CA53AD612"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.5.1
From: Jari Arkko <>
In-Reply-To: <>
Date: Thu, 3 Dec 2015 14:18:55 +0200
Message-Id: <>
References: <> <> <> <>
To: "Joel M. Halpern" <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Cc: General Area Review Team <>, Daniel Migault <>, Valery Smyslov <>, "" <>
Subject: Re: [Gen-art] Review: draft-mglt-ipsecme-clone-ike-sa-05.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2015 12:18:57 -0000

Joel, thank you very much for uncovering this issue, and thank you Daniel for addressing it. I have balloted no-obj for tonight’s IESG telechat for this document.


On 08 Oct 2015, at 19:18, Joel M. Halpern <> wrote:

> That would work very well for me.  Thank you for addressing my concerns.
> Yours,
> Joel
> On 10/8/15 10:20 AM, Daniel Migault wrote:
>> Hi Joel,
>> Thank you for taking time to review and comment the draft.
>> We propose to add the following text to clarify the example in section 2 before the two last paragraphs. The following text expects to clarify the following points:
>>    - 1) The creation of VPN is a local policy matter
>>    - 2) Moving one duplicated VPN to different interfaces may involve multiple MOBIKE operations
>>    - 4) There is no needs to create all possible VPNs ( might be similar to item 1)
>> The following text has been added to our local copy. If you would like us to publish a new version, feel free to let us know. Our intention is to keep the updates local until you ask us to publish the draft.
>> BR,
>> Daniel and Valery
>> Note that it is up to host's local policy which additional VPNs to create and
>> when to do it. The process of selecting address pairs for migration is
>>  a local matter. Furthermore, in the case of multiple interfaces on
>>  both ends care should be taken to avoid the VPNs to be duplicated by both ends or moved to the both interfaces.
>>  In addition multiple MOBIKE operation may be involved from the
>>  Security Gateway or the VPN End User.
>>  Suppose, as depicted in Figure 3 for example that the cloned VPN is
>>  between Interface _0 and Interface_0', and the VPN End User and the
>>  Security Gateway wants to move it to Interface_1 and Interface_1'. The
>>  VPN End User may initiate a MOBIKE exchange in order to move it to
>>  Interface_1, in which case the cloned VPN is now between Interface_1
>>  and Interface_0'. Then the Security Gateway may also initiate a MOBIKE exchange in order to move the VPN to Interface_1' in which case the VPN has reached its final destination.
>> -----Original Message-----
>> From: Joel M. Halpern []
>> Sent: Friday, October 02, 2015 1:25 PM
>> To: A. Jean Mahoney; General Area Review Team;
>> Subject: [Gen-art] Review: draft-mglt-ipsecme-clone-ike-sa-05.txt
>> I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair.  Please treat these comments just like any other last call comments.
>> For more information, please see the FAQ at
>> <>.
>> Document: draft-mglt-ipsecme-clone-ike-sa-05.txt
>> Cloning IKE SA in the Internet Key Exchange Protocol Version 2 (IKEv2)
>> Reviewer: Joel M. Halpern
>> Review Date: 2-Oct-2015
>> IETF LC End Date: 27-Oct-2015
>> IESG Telechat date: N/A
>> Summary: This document is nearly ready for publication as a Propsoed Standard RFC.
>> Major issues:
>>      The introductory material talks about the case where both sides have multiple interfaces.  It is not clear what will happen with this mechanism in that case.
>>      In particular, if I have two systems, with three interfaces, it seems that this will start by creating the S1-D1 Security Association.
>> It seems straightforward for each side to create their simple additional assocations (S2-D1, S3-D1, and S1-D2, S1-D3).
>>      But the introduction suggests that we also want to create S2-D2, S3-D3, S2-D3, and S3-D2.  With no other guidance, it appears that both sides will try to create all four of those, creating 8 security associations instead of 4.
>>      I hope that I have simply missed something in the document that resolves this.
>> Minor issues:
>> Nits/editorial comments:
> _______________________________________________
> Gen-art mailing list