[Gen-art] Gen-ART review for draft-ietf-ipsecme-esp-null-heuristics-06.txt (was: Re: Gen-ART review for draft-ietf-ipsecme-esp-null-heuristics-05.txt)
"Spencer Dawkins" <spencer@wonderhamster.org> Fri, 26 February 2010 12:42 UTC
Return-Path: <spencer@wonderhamster.org>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0095828C1CA for <gen-art@core3.amsl.com>; Fri, 26 Feb 2010 04:42:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zw115gg4hKj2 for <gen-art@core3.amsl.com>; Fri, 26 Feb 2010 04:42:01 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id D556628C1B4 for <gen-art@ietf.org>; Fri, 26 Feb 2010 04:42:00 -0800 (PST)
Received: from S73602b (cpe-76-182-230-135.tx.res.rr.com [76.182.230.135]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0LcjQV-1NIZMK05hf-00k9bJ; Fri, 26 Feb 2010 07:44:07 -0500
Message-ID: <D7E21970E6F54938922EAE6D35A4D595@china.huawei.com>
From: Spencer Dawkins <spencer@wonderhamster.org>
To: Tero Kivinen <kivinen@iki.fi>
References: <7B2204AACA664DA2988E253FE2FCF568@china.huawei.com><19323.49404.562705.833947@fireball.kivinen.iki.fi><F482F25C6B0B49159A83DBDB0D0045AB@china.huawei.com> <19335.47671.472054.767654@fireball.kivinen.iki.fi>
Date: Fri, 26 Feb 2010 06:43:58 -0600
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Provags-ID: V01U2FsdGVkX181bPuOhaL226xL0G3z4FQrkv7mBe9sGiZX56c CFZ6cXYSs6XsTonIBbRAEVtsxo9pk27COC9z+ezKkVAd/QSB2i ymhm0SyCvlPv2TrI1QjazFVFsY7JtvMF37styaSLSk=
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-ipsecme-esp-null-heuristics@tools.ietf.org
Subject: [Gen-art] Gen-ART review for draft-ietf-ipsecme-esp-null-heuristics-06.txt (was: Re: Gen-ART review for draft-ietf-ipsecme-esp-null-heuristics-05.txt)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2010 12:42:02 -0000
Hi, Tero, Thank you for fixing my suggested text ("writing text is hard" :-) Russ, -06 addresses all of my review comments from -05. It's ready for publication as an Informational RFC, from a Gen-ART perspective. I did spot one "This heuristics" in new text that should be "This heuristic", but that's an RFC Editor note, not a draft respin. Thanks, Spencer > Spencer Dawkins writes: >> I don't feel strongly about this, but do suggest s/uses the same >> policy/uses >> the same policy, and that changes to that single policy can be >> coordinated >> throughout the administrative domain/, to capture what you said in your >> response, which I found helpful. > > Changed that sentence as you suggested and the full sentence is now: > > Also, such a solution might require some kind of centralized > policy management to make sure everybody in an administrative > domain uses the same policy, and that changes to that single > policy can be coordinated throughout the administrative > domain. > >> I saw that this isn't a 2119 document, but it's hard for people who are >> familiar with 2119 language to ignore the words when they are in lower >> case >> :D >> >> I really liked the explanation you gave in your response here. I suggest >> picking one of "can/will/should", probably "can", and including your >> response in the document. >> >> The resulting text (with some additional edits) might look something like >> "As ESP-NULL heuristics need to know the same protocols as a deep >> inspection >> device, an ESP-NULL instance of an unknown protocol can be handled the >> same >> way as a cleartext instance of the same unknown protocol. > > Changed to the text you suggested. > >> OK, that's the part that was missing for me. I would suggest "the packet >> has >> already transited a NAT box which changed the IP addresses but assumed >> any >> ESP payload was encryped and did not recalculate the transport checksums >> with the new IP addresses. Thus" > > Made the changes you requested, but used "fix" instead "recalculate" > as most of the nats do not recalculate checksum, but do incremental > update on it. The whole text section is now: > > The most obvious field, TCP checksum, might not be usable, as it > is possible that the packet has already transited a NAT box > which changed the IP addresses but assumed any ESP payload was > encrypted and did not fix the transport checksums with the new > IP addresses. Thus the IP numbers used in the checksum are > wrong, thus the checksum is wrong. > >> This explanation is helpful. I'd suggest adding "This hueristic is most >> helpful when only one packet is outstanding. For example, if a TCP SYN >> packet is lost, the next packet would always be a retransmission of the >> SYN >> packet". > > Changed (with minor edits) as you suggested. The full text is now: > > One good method of detection is if a packet is dropped then the > next packet will most likely be a retransmission of the previous > packet. Thus if two packets are received with the same source, > and destination port numbers, and where sequence numbers are > either same or right after each other, then it's likely a TCP > packet has been correctly detected. This heuristics is most > helpful when only one packet is outstanding. For example, if a > TCP SYN packet is lost (or dropped because of policy), the next > packet would always be a retransmission of the same TCP SYN > packet. > >> Your explanation was very helpful. I'd suggest >> >> "Forcing use of ESP-NULL everywhere inside the enterprise, so that >> accounting, logging, network monitoring, and intrusion detection all >> work, >> increases the risk of sending confidential information where >> eavesdroppers >> can see it" > > Changed to use your text. > > I updated the draft and submitted 06 version which includes these > changes. > -- > kivinen@iki.fi
- [Gen-art] Gen-ART review for draft-ietf-ipsecme-e… Spencer Dawkins
- Re: [Gen-art] Gen-ART review fordraft-ietf-ipsecm… Spencer Dawkins
- [Gen-art] Gen-ART review for draft-ietf-ipsecme-e… Tero Kivinen
- Re: [Gen-art] Gen-ART review for draft-ietf-ipsec… Spencer Dawkins
- Re: [Gen-art] Gen-ART review for draft-ietf-ipsec… Dan McDonald
- Re: [Gen-art] Gen-ART review for draft-ietf-ipsec… Tero Kivinen
- [Gen-art] Gen-ART review for draft-ietf-ipsecme-e… Spencer Dawkins