Re: [Gen-art] (quick) review of draft-ietf-rmt-flute-revised-13.txt
Francis Dupont <Francis.Dupont@fdupont.fr> Mon, 12 March 2012 20:54 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 929E521F8A0A for <gen-art@ietfa.amsl.com>; Mon, 12 Mar 2012 13:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcosPpuj6rV0 for <gen-art@ietfa.amsl.com>; Mon, 12 Mar 2012 13:54:41 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAC921F8A08 for <gen-art@ietf.org>; Mon, 12 Mar 2012 13:54:39 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id q2CKsZH5013236; Mon, 12 Mar 2012 21:54:35 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201203122054.q2CKsZH5013236@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Vincent Roca <vincent.roca@inria.fr>
In-reply-to: Your message of Mon, 12 Mar 2012 12:26:25 +0100. <F70342DE-A102-410A-82CA-C843740D4E7A@inria.fr>
Date: Mon, 12 Mar 2012 21:54:35 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: gen-art@ietf.org, draft-ietf-rmt-flute-revised.all@tools.ietf.org
Subject: Re: [Gen-art] (quick) review of draft-ietf-rmt-flute-revised-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 20:54:43 -0000
In your previous mail you wrote:
> > Minor issues: not a real one (it was inherited from RFC 5775) but
> > in the security considerations there is nothing about IPsec/AH
> > (BTW people who didn't implement it didn't implement the transport
> > mode (for IPsec/ESP) too :-).
>
> Yes, this is done deliberately. We do not mention IPsec/AH at all
> and our minimum security requirements are aligned with that of
> RFC 5775. For instance RFC5775, Section 5.1.1, says:
>
> "The ALC sender SHALL use an IPsec SA configured for Encapsulating
> Security Payload (ESP) protocol [RFC4303] operation with the option
> for data origination authentication enabled."
>
> I think the situation is clear enough.
=> yes: even I still like to get IPsec/AH I understand the mistake
(if it is a mistake) was done with the RFC 5775 so it is far too late.
> > - 1 page 6: please add a reference to RFC2357 (or make it an
> > explicit reference)
>
> I don't understant. We already have a reference to that RFC in section
> 1, p6:
> "This specification contains part of the definitions necessary to
> fully specify a Reliable Multicast Transport protocol in accordance
> with [RFC2357]."
> What is the point?
=> I have in the .txt version:
This specification contains part of the definitions necessary to
fully specify a Reliable Multicast Transport protocol in accordance
with RFC2357.
^^^^^^^
and it is the only occurrence of 2357. BTW I am fine of course with
your personal (?) version of the document (:-)!
> I've clarified what a TSI looks like as follows:
>
> NEW:
> One of the fields carried in the ALC/LCT header is the Transport
> Session Identifier (TSI), an integer carried in a field of size 16,
> 32, or 48 bits (note that the TSI may be carried by other means in
> which case it is absent from the LCT header [RFC5651]).
=> fine!
> > - 7.2.2 page 30: this is the place I am surprised to not get
> > IPsec/AH [RFC4302] as an alternative to IPsec/ESP [RFC4303]
> > when integrity and sender authentication is wanted.
>
> An interesting reference:
> "A Cryptographic Evaluation of IPsec"
> Niels Ferguson and Bruce Schneier
> http://www.schneier.com/paper-ipsec.pdf
> Section 3.1:
> "Recommendation 2: Eliminate the AH protocol."
>
> Another reference on the same topic:
> "Avoiding Authentication Header (AH)"
> draft-bhatia-ipsecme-avoiding-ah-00
>
> I don't follow the IPSECME WG and therefore I cannot
> say whether there is consensus or not on the topic.
=> there is not and IMHO there won't be... AH will be withdrawn
because people are tired to explain how it can be used, not
because people are convinced it is useless.
> However it seems to me it's not worth adding a reference
> to AH. We can do without, using the functionalities already
> provided in the "minimum security requirements".
=> this was addressed with the (previous) minor issue:
IPsec/AH is not in RFC 5775 so there is no reason it should be
in draft-ietf-rmt-flute-revised.
Thanks
Francis.Dupont@fdupont.fr
PS: I still wait for a new version.
- [Gen-art] (quick) review of draft-ietf-rmt-flute-… Francis Dupont
- Re: [Gen-art] (quick) review of draft-ietf-rmt-fl… Vincent Roca
- Re: [Gen-art] (quick) review of draft-ietf-rmt-fl… Francis Dupont