Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
Elwyn Davies <elwynd@dial.pipex.com> Mon, 30 November 2009 19:30 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A78993A682A for <gen-art@core3.amsl.com>; Mon, 30 Nov 2009 11:30:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.33
X-Spam-Level:
X-Spam-Status: No, score=-101.33 tagged_above=-999 required=5 tests=[AWL=-1.603, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_IP_ADDR=1.119, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vquCNWO-9cAd for <gen-art@core3.amsl.com>; Mon, 30 Nov 2009 11:30:46 -0800 (PST)
Received: from a.painless.aaisp.net.uk (a.painless.aaisp.net.uk [IPv6:2001:8b0:0:30::51bb:1e33]) by core3.amsl.com (Postfix) with ESMTP id 1A15E3A68DF for <gen-art@ietf.org>; Mon, 30 Nov 2009 11:30:46 -0800 (PST)
Received: from 153.107.2.81.in-addr.arpa ([81.2.107.153] helo=[81.187.254.244]) by a.painless.aaisp.net.uk with esmtp (Exim 4.69) (envelope-from <elwynd@dial.pipex.com>) id 1NFBx9-0004KV-L0; Mon, 30 Nov 2009 19:30:31 +0000
Message-ID: <4B141D57.50101@dial.pipex.com>
Date: Mon, 30 Nov 2009 19:30:31 +0000
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Ertekin, Emre [USA]" <ertekin_emre@bah.com>
References: <4ABBA844.7040301@dial.pipex.com> <8FD7E55332C3644C818757411AE27C60134D76A6@ASHBMBX02.resource.ds.bah.com> <4B054E68.2000905@dial.pipex.com> <8FD7E55332C3644C818757411AE27C6016260EAF@ASHBMBX02.resource.ds.bah.com> <4B13A78B.7000701@dial.pipex.com> <8FD7E55332C3644C818757411AE27C6016260FA1@ASHBMBX02.resource.ds.bah.com>
In-Reply-To: <8FD7E55332C3644C818757411AE27C6016260FA1@ASHBMBX02.resource.ds.bah.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "rohc-chairs@tools.ietf.org" <rohc-chairs@tools.ietf.org>, "rohc-ads@tools.ietf.org" <rohc-ads@tools.ietf.org>, General Area Reviwing Team <gen-art@ietf.org>, "Christou, Christos [USA]" <christou_chris@bah.com>, "cabo@tzi.org" <cabo@tzi.org>
Subject: Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 19:30:48 -0000
Hi. Last minute thought... the profile identifiers tie up with the profile numbers in RFC 4996 and RFC 5225 - it would be worth noting that. I can't see where the authentication algorithm identifiers tie up with - I presume there must be some place these various algorithms are specified for ROHC. It ought to be referenced. Regards, Elwyn Ertekin, Emre [USA] wrote: > Hi Elwyn, > > Great. I agree with both of your points. I will make the updates to the draft. > > Once I make these changes, I will consider this thread/comment as resolved. > > BR, > Emre > > >> -----Original Message----- >> From: Elwyn Davies [mailto:elwynd@dial.pipex.com] >> Sent: Monday, November 30, 2009 3:08 AM >> To: Ertekin, Emre [USA] >> Cc: General Area Reviwing Team; Mary Barnes; rohc-ads@tools.ietf.org; >> rohc-chairs@tools.ietf.org; cabo@tzi.org; Christou, Christos [USA] >> Subject: Re: Gen-art reiew of draft-ietf-rohc-ipsec-extensions- >> hcoipsec-05 >> >> Hi. >> >> This seems good to me. One minor point on the ASN.1: I think the >> extra >> 'rohc' piece should it be specified as 'OPTIONAL' so that not it >> doesn't >> have to be in every implementation - and should it come after the >> tunnel >> params as this change will alter the OID of tunnel params as it stands >> (if my understanding of ASN.1 is right)? >> >> Thanks. >> Elwyn >> >> Ertekin, Emre [USA] wrote: >> >>> Hi Elwyn, >>> >>> >>> >>>>>> SPD additions: >>>>>> In Section 2.1 some additional fields to be added to the SPD >>>>>> Processing component are described informally. RFC 4301 which has >>>>>> >>>>>> >>>> the >>>> >>>> >>>>>> unmodified version of the Processing component also has a formal >>>>>> >>>>>> >>>> ASN.1 >>>> >>>> >>>>>> description. I think this document needs an updated ASN.1 >>>>>> >>>>>> >>>> desciption >>>> >>>> >>>>>> also. >>>>>> >>>>>> Further the description talks about adding 'processing info' >>>>>> >> fields >> >>>> if >>>> >>>> >>>>>> the >>>>>> 'processing info field is set to PROTECT'. Although this partly >>>>>> reflects the >>>>>> wording in the body of RFC 4301, it is rather confusing when >>>>>> >> looking >> >>>> at >>>> >>>> >>>>>> the >>>>>> ASN.1. The wording of para 3 of S2.1 might be better as: >>>>>> If the SPD entry is an IPsecEntry (to PROTECT traffic) then the >>>>>> Processing >>>>>> item of the IPsecEntry must be extended with the following >>>>>> >> items: >> >>>>>> >>>> On refelection, I agree that using IPsecEntry in s2.1 wouldn't be >>>> appropriate. However I think the wording could still be improved. >>>> Retry: >>>> If the processing action associated with the selector sets is >>>> PROTECT, then the processing info must be >>>> extended with the following ROHC channel parameters: >>>> >>>> >>> OK; sounds good! >>> >>> >>> >>>>> A while back, we were thinking of adding ASN.1 notation to the >>>>> >>>>> >>>> draft...however we opted not to. This is because Appendix C in RFC >>>> 4301 is only an example ASN.1 definition of a SPD and is referred to >>>> >> as >> >>>> "merely illustrative". Since our extensions would've expanded >>>> upon/augmented this non-normative text, we decided to leave it out. >>>> >>>> Sure, it is illustrative, but it also seems to have specified a >>>> >> fully >> >>>> qualified OID. This indicates to me that at least some people may >>>> >> be >> >>>> using this as an access mechanism for the SPD. In that case >>>> >> formally >> >>>> specifying the ASN.1 would be highly desirable even if it is not >>>> normative. Doubtless there are other people who know if the SPD is >>>> accessed this way (e.g. as a MIB) even if I don't. >>>> >>>> >>> OK. We developed the ASN.1 representation of the ROHC parameters and >>> >> plan to incorporate it as an Appendix to the draft. The text reads as >> follows: >> >>> Appendix A. ASN.1 representation for ROHCoIPsec >>> >>> This appendix is included as an additional way to describe the >>> ROHCoIPsec parameters that are included in the IPsec SPD. It uses >>> portions of the ASN.1 syntax provided in Appendix C of RFC 4301 >>> [IPSEC]. In addition, several new structures are defined. >>> >>> This syntax has been successfully compiled. However, it is merely >>> illustrative and need not be employed in an implementation to >>> >> achieve >> >>> compliance. >>> >>> The "Processing" data structure, defined in Appendix C of RFC >>> >> 4301, >> >>> is augmented to include a ROHC parameters element as follows: >>> >>> Processing ::= SEQUENCE { >>> extSeqNum BOOLEAN, -- TRUE 64 bit counter, FALSE 32 >>> >> bit >> >>> seqOverflow BOOLEAN, -- TRUE rekey, FALSE terminate & >>> >> audit >> >>> fragCheck BOOLEAN, -- TRUE stateful fragment checking, >>> -- FALSE no stateful fragment >>> >> checking >> >>> lifetime SALifetime, >>> spi ManualSPI, >>> algorithms ProcessingAlgs, >>> rohc RohcParams, >>> tunnel TunnelOptions OPTIONAL >>> } >>> >>> The following data structures describe these ROHC parameters: >>> >>> RohcParams ::= SEQUENCE { >>> rohcEnabled BOOLEAN, -- TRUE, hdr compression is >>> >> enabled >> >>> -- FALSE, hdr compression is >>> >> disabled >> >>> maxCID INTEGER (0..16383), >>> mrru INTEGER, >>> profiles RohcProfiles, >>> rohcIntegAlg RohcIntegAlgs, >>> rohcIntegICVLength INTEGER >>> } >>> >>> RohcProfiles ::= SET OF RohcProfile >>> >>> RohcProfile ::= INTEGER { >>> rohcv1-rtp (1), >>> rohcv1-udp (2), >>> rohcv1-esp (3), >>> rohcv1-ip (4), >>> >>> rohcv1-tcp (6), >>> rohcv1-rtp-udpLite (7), >>> rohcv1-udpLite (8), >>> >>> rohcv2-rtp (257), >>> rohcv2-udp (258), >>> rohcv2-esp (259), >>> rohcv2-ip (260), >>> >>> rohcv2-rtp-udpLite (263), >>> rohcv2-udpLite (264) >>> } >>> >>> RohcIntegAlgs ::= SEQUENCE { >>> algorithm RohcIntegAlgType, >>> parameters ANY -- DEFINED BY algorithm -- OPTIONAL } >>> >>> RohcIntegAlgType ::= INTEGER { >>> none (0), >>> auth-HMAC-MD5-96 (1), >>> auth-HMAC-SHA1-96 (2), >>> auth-DES-MAC (3), >>> auth-KPDK-MD5 (4), >>> auth-AES-XCBC-96 (5), >>> auth-HMAC-MD5-128 (6), >>> auth-HMAC-SHA1-160 (7), >>> auth-AES-CMAC-96 (8), >>> auth-AES-128-GMAC (9), >>> auth-AES-192-GMAC (10), >>> auth-AES-256-GMAC (11), >>> auth-HMAC-SHA2-256-128 (12), >>> auth-HMAC-SHA2-384-192 (13), >>> auth-HMAC-SHA2-512-256 (14) >>> -- tbd (15..65535) >>> } >>> >>> I think that does it! Let me know if this looks good to you. >>> >>> V/R, >>> Emre >>> >>>
- [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies