Re: [Gen-art] Gen-ART review of draft-ietf-hokey-erp-aak-07

Zhen Cao <zehn.cao@gmail.com> Fri, 03 February 2012 07:11 UTC

Return-Path: <zehn.cao@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47D8721F856F for <gen-art@ietfa.amsl.com>; Thu, 2 Feb 2012 23:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.388
X-Spam-Level:
X-Spam-Status: No, score=-3.388 tagged_above=-999 required=5 tests=[AWL=0.211, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0dcSN9c1zTsU for <gen-art@ietfa.amsl.com>; Thu, 2 Feb 2012 23:11:24 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7845921F85DF for <gen-art@ietf.org>; Thu, 2 Feb 2012 23:11:24 -0800 (PST)
Received: by iagf6 with SMTP id f6so5260249iag.31 for <gen-art@ietf.org>; Thu, 02 Feb 2012 23:11:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=fbEig1TJGAQpOR3GbZ8qyYf0HO9WAu1EhwGdG+70wmM=; b=xkJhwQCIz2FPrnmzgGQN+60hxcVuzeGVCs+S1gsKblgFPJ1uH5+Lf3CeBf0nzsPxCA hk9YSMuYGeY9WXchzp+EfnL44s5BUSBf8poPl2iAjANbcXgPb0nsP9lkjlmXNbbjl+Sw GT4gQcEKr05pO75zRKh5iHCxNEK04jvBrBwF8=
MIME-Version: 1.0
Received: by 10.43.51.66 with SMTP id vh2mr5439622icb.39.1328253084159; Thu, 02 Feb 2012 23:11:24 -0800 (PST)
Received: by 10.43.130.129 with HTTP; Thu, 2 Feb 2012 23:11:24 -0800 (PST)
In-Reply-To: <4F2AA2F8.4010004@ericsson.com>
References: <4F2AA2F8.4010004@ericsson.com>
Date: Fri, 03 Feb 2012 15:11:24 +0800
Message-ID: <CAProHATtfqmXk0-EVOSDbQZqpNW-nFtrchA56XAMP2XWpnd6oA@mail.gmail.com>
From: Zhen Cao <zehn.cao@gmail.com>
To: "Miguel A. Garcia" <Miguel.A.Garcia@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 03 Feb 2012 05:24:12 -0800
Cc: Hui Deng <denghui02@gmail.com>, General Area Review Team <gen-art@ietf.org>, sunseawq@huawei.com, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-hokey-erp-aak-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 07:11:25 -0000

Dear Miguel,

Thanks for the valuable view, see our replies inline.

Best regards,
Zhen

On Thu, Feb 2, 2012 at 10:51 PM, Miguel A. Garcia
<Miguel.A.Garcia@ericsson.com> wrote:
> I have been selected as the General Area Review Team (Gen-ART)
> reviewer for this draft. For background on Gen-ART, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>
>
> Please resolve these comments along with any other comments you may receive.
>
> Document: draft-ietf-hokey-erp-aak-07
> Reviewer: Miguel Garcia <miguel.a.garcia@ericsson.com>
> Review Date: 2011-01-02
> IETF LC End Date: 2012-02-07
>
> Summary: This draft is on the right track but has open issues, described in
> the review.
>
> Major issues:
>
> - None
>
> Minor issues:
>
> - The main problem I have with this draft is the lack of normative text (RFC
> 2119 reserved words) in relevant paragraphs. If interoperability is to be
> granted, an effort should be taken in adding quite a few more normative
> statements.
>
> However, having said that, the section where I find more that there should
> be more normative text, is Section 3, which is an "Overview" section. In
> general, an overview section should use descriptive, but not normative text.
>
> For example, take the last paragraph in Page 5 (that continues to Page 6).
> One possible change is to make normative the text and move it outside a
> section whose title is "Overview".
>
>   Upon receiving the message, the ERP/AAK server MUST first use the
>   keyName indicated in the keyName-NAI to look up the rIK and MUST
>   check the integrity and freshness of the message. Then the ERP/AAK
>   server MUST verify the identity of the peer by checking the username
>   portion of the KeyName-NAI.  If any of the checks fail, the server
>   MUST send an early- authentication finish message (EAP-Finish/Re-auth
>   with E-flag set) with the Result flag set to '1'.  Next, the server
>   MUST authorize the CAP specified in the CAP-Identifier TLV.  In
>   success case, the server MUST derive a pMSK from the pRK for each CAP
>   carried in the the CAP-Identifier field using the sequence number
>   associated with CAP-Identifier as an input to the key derivation.
>   (see d. in the figure 1).
>
>   Then the ERP/AAK server MUST transport the pMSK to the authorized CAP
>   via AAA Section 7 as described in figure 2 (see e.1,e.2 in the figure
>   2). Note that key distribution in the figure 2 is one part of step d.
>   in the figure 1.
>
> The the last paragraph in Section 3 also contains an "Optionally", which I
> believe should be replaced with a capitalized "OPTIONAL"

[CZ]: Good suggestion, we will revise the draft to reflect this.

>
> Another instance: towards the end of Section 5.2, the text reads:
>
>   HMAC-SHA256-128 is mandatory to implement and should be enabled in
>   the default configuration.
>
> and should probably be:
>
>   HMAC-SHA256-128 is REQUIRED to be implemented and SHOULD be enabled in
>   the default configuration.

[CZ] Okay.

>
> Similarly, the last paragraph in Section 5.2 reads:
>
>   If the EAP-Initiate/Re-auth packet is not supported by the SAP, it is
>   discarded silently.
>
> and should probably be:
>
>   If the EAP-Initiate/Re-auth packet is not supported by the SAP, it
>   SHOULD be discarded silently.
>

[CZ] Okay.

>
> - Another topic, Section 9 (IANA Considerations) reads:
>
>   Further, this document registers a Early authentication usage label
>   from the "USRK Key Labels" name space with a value:
>
>      EAP Early-Authentication Root Key@ietf.org
>
>
> I am missing the sentence to name the master registry where the USRK Key
> Labels subregistry is stored. This is the Extended Master Session Key (EMSK)
> Parameters registry (I guess). And probably this comment is also valid for
> the rest of the IANA actions: the main registry is not named, and it is hard
> to find it.

[CZ]: EMSK or DSRK lable is defined in the section 8.1 "Key Lables" of
RFC5295. We will add reference to RFC5295 to fix this. Thanks.

>
>
> /Miguel
> --
> Miguel A. Garcia
> +34-91-339-3608
> Ericsson Spain



-- 
Best regards,
Zhen