Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
Elwyn Davies <elwynd@dial.pipex.com> Tue, 01 December 2009 14:33 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D2DD3A682B for <gen-art@core3.amsl.com>; Tue, 1 Dec 2009 06:33:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.929
X-Spam-Level:
X-Spam-Status: No, score=-100.929 tagged_above=-999 required=5 tests=[AWL=-1.202, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_IP_ADDR=1.119, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12THkuW2GHqp for <gen-art@core3.amsl.com>; Tue, 1 Dec 2009 06:33:40 -0800 (PST)
Received: from c.painless.aaisp.net.uk (c.painless.aaisp.net.uk [IPv6:2001:8b0:0:30::51bb:1e35]) by core3.amsl.com (Postfix) with ESMTP id 1BF183A67C1 for <gen-art@ietf.org>; Tue, 1 Dec 2009 06:33:40 -0800 (PST)
Received: from 153.107.2.81.in-addr.arpa ([81.2.107.153] helo=[81.187.254.251]) by c.painless.aaisp.net.uk with esmtp (Exim 4.69) (envelope-from <elwynd@dial.pipex.com>) id 1NFTnC-0001A2-0A; Tue, 01 Dec 2009 14:33:26 +0000
Message-ID: <4B152932.9090901@dial.pipex.com>
Date: Tue, 01 Dec 2009 14:33:22 +0000
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20081209)
MIME-Version: 1.0
To: "Ertekin, Emre [USA]" <ertekin_emre@bah.com>
References: <4ABBA844.7040301@dial.pipex.com> <8FD7E55332C3644C818757411AE27C60134D76A6@ASHBMBX02.resource.ds.bah.com> <4B054E68.2000905@dial.pipex.com> <8FD7E55332C3644C818757411AE27C6016260EAF@ASHBMBX02.resource.ds.bah.com> <4B13A78B.7000701@dial.pipex.com> <8FD7E55332C3644C818757411AE27C6016260FA1@ASHBMBX02.resource.ds.bah.com> <4B141D57.50101@dial.pipex.com> <8FD7E55332C3644C818757411AE27C6016261225@ASHBMBX02.resource.ds.bah.com>
In-Reply-To: <8FD7E55332C3644C818757411AE27C6016261225@ASHBMBX02.resource.ds.bah.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "rohc-chairs@tools.ietf.org" <rohc-chairs@tools.ietf.org>, "rohc-ads@tools.ietf.org" <rohc-ads@tools.ietf.org>, General Area Reviwing Team <gen-art@ietf.org>, "Christou, Christos [USA]" <christou_chris@bah.com>, "cabo@tzi.org" <cabo@tzi.org>
Subject: Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 14:33:42 -0000
Ertekin, Emre [USA] wrote: > Hi Elwyn, > > Sure, we can add pointers. However, since all of the values are split amongst various RFCs, how about we point to the appropriate IANA registries. > (Sorry that should have been 'reply all') Sounds like a good plan. I promise not to have any more last minute thoughts. ;-) Thanks, Elwyn > So, for the Profile identifiers, we would point to the registry at [http://www.iana.org/assignments/rohc-pro-ids/rohc-pro-ids.xhtml], and for the Integrity algorithms we can point to the Transform Type 3 - Integrity Algorithm Transform IDs registry at [http://www.iana.org/assignments/ikev2-parameters]. > > R, > Emre > > >> -----Original Message----- >> From: Elwyn Davies [mailto:elwynd@dial.pipex.com] >> Sent: Monday, November 30, 2009 11:31 AM >> To: Ertekin, Emre [USA] >> Cc: General Area Reviwing Team; Mary Barnes; rohc-ads@tools.ietf.org; >> rohc-chairs@tools.ietf.org; cabo@tzi.org; Christou, Christos [USA] >> Subject: Re: Gen-art reiew of draft-ietf-rohc-ipsec-extensions- >> hcoipsec-05 >> >> Hi. >> >> Last minute thought... the profile identifiers tie up with the profile >> numbers in RFC 4996 and RFC 5225 - it would be worth noting that. I >> can't see where the authentication algorithm identifiers tie up with - >> I >> presume there must be some place these various algorithms are specified >> for ROHC. It ought to be referenced. >> >> Regards, >> Elwyn >> >> Ertekin, Emre [USA] wrote: >> >>> Hi Elwyn, >>> >>> Great. I agree with both of your points. I will make the updates to >>> >> the draft. >> >>> Once I make these changes, I will consider this thread/comment as >>> >> resolved. >> >>> BR, >>> Emre >>> >>> >>> >>>> -----Original Message----- >>>> From: Elwyn Davies [mailto:elwynd@dial.pipex.com] >>>> Sent: Monday, November 30, 2009 3:08 AM >>>> To: Ertekin, Emre [USA] >>>> Cc: General Area Reviwing Team; Mary Barnes; rohc- >>>> >> ads@tools.ietf.org; >> >>>> rohc-chairs@tools.ietf.org; cabo@tzi.org; Christou, Christos [USA] >>>> Subject: Re: Gen-art reiew of draft-ietf-rohc-ipsec-extensions- >>>> hcoipsec-05 >>>> >>>> Hi. >>>> >>>> This seems good to me. One minor point on the ASN.1: I think the >>>> extra >>>> 'rohc' piece should it be specified as 'OPTIONAL' so that not it >>>> doesn't >>>> have to be in every implementation - and should it come after the >>>> tunnel >>>> params as this change will alter the OID of tunnel params as it >>>> >> stands >> >>>> (if my understanding of ASN.1 is right)? >>>> >>>> Thanks. >>>> Elwyn >>>> >>>> Ertekin, Emre [USA] wrote: >>>> >>>> >>>>> Hi Elwyn, >>>>> >>>>> >>>>> >>>>> >>>>>>>> SPD additions: >>>>>>>> In Section 2.1 some additional fields to be added to the SPD >>>>>>>> Processing component are described informally. RFC 4301 which >>>>>>>> >> has >> >>>>>>>> >>>>>> the >>>>>> >>>>>> >>>>>> >>>>>>>> unmodified version of the Processing component also has a >>>>>>>> >> formal >> >>>>>>>> >>>>>> ASN.1 >>>>>> >>>>>> >>>>>> >>>>>>>> description. I think this document needs an updated ASN.1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> desciption >>>>>> >>>>>> >>>>>> >>>>>>>> also. >>>>>>>> >>>>>>>> Further the description talks about adding 'processing info' >>>>>>>> >>>>>>>> >>>> fields >>>> >>>> >>>>>> if >>>>>> >>>>>> >>>>>> >>>>>>>> the >>>>>>>> 'processing info field is set to PROTECT'. Although this partly >>>>>>>> reflects the >>>>>>>> wording in the body of RFC 4301, it is rather confusing when >>>>>>>> >>>>>>>> >>>> looking >>>> >>>> >>>>>> at >>>>>> >>>>>> >>>>>> >>>>>>>> the >>>>>>>> ASN.1. The wording of para 3 of S2.1 might be better as: >>>>>>>> If the SPD entry is an IPsecEntry (to PROTECT traffic) then >>>>>>>> >> the >> >>>>>>>> Processing >>>>>>>> item of the IPsecEntry must be extended with the following >>>>>>>> >>>>>>>> >>>> items: >>>> >>>> >>>>>> On refelection, I agree that using IPsecEntry in s2.1 wouldn't be >>>>>> appropriate. However I think the wording could still be improved. >>>>>> Retry: >>>>>> If the processing action associated with the selector sets is >>>>>> PROTECT, then the processing info must be >>>>>> extended with the following ROHC channel parameters: >>>>>> >>>>>> >>>>>> >>>>> OK; sounds good! >>>>> >>>>> >>>>> >>>>> >>>>>>> A while back, we were thinking of adding ASN.1 notation to the >>>>>>> >>>>>>> >>>>>>> >>>>>> draft...however we opted not to. This is because Appendix C in >>>>>> >> RFC >> >>>>>> 4301 is only an example ASN.1 definition of a SPD and is referred >>>>>> >> to >> >>>> as >>>> >>>> >>>>>> "merely illustrative". Since our extensions would've expanded >>>>>> upon/augmented this non-normative text, we decided to leave it >>>>>> >> out. >> >>>>>> Sure, it is illustrative, but it also seems to have specified a >>>>>> >>>>>> >>>> fully >>>> >>>> >>>>>> qualified OID. This indicates to me that at least some people may >>>>>> >>>>>> >>>> be >>>> >>>> >>>>>> using this as an access mechanism for the SPD. In that case >>>>>> >>>>>> >>>> formally >>>> >>>> >>>>>> specifying the ASN.1 would be highly desirable even if it is not >>>>>> normative. Doubtless there are other people who know if the SPD >>>>>> >> is >> >>>>>> accessed this way (e.g. as a MIB) even if I don't. >>>>>> >>>>>> >>>>>> >>>>> OK. We developed the ASN.1 representation of the ROHC parameters >>>>> >> and >> >>>> plan to incorporate it as an Appendix to the draft. The text reads >>>> >> as >> >>>> follows: >>>> >>>> >>>>> Appendix A. ASN.1 representation for ROHCoIPsec >>>>> >>>>> This appendix is included as an additional way to describe the >>>>> ROHCoIPsec parameters that are included in the IPsec SPD. It >>>>> >> uses >> >>>>> portions of the ASN.1 syntax provided in Appendix C of RFC 4301 >>>>> [IPSEC]. In addition, several new structures are defined. >>>>> >>>>> This syntax has been successfully compiled. However, it is >>>>> >> merely >> >>>>> illustrative and need not be employed in an implementation to >>>>> >>>>> >>>> achieve >>>> >>>> >>>>> compliance. >>>>> >>>>> The "Processing" data structure, defined in Appendix C of RFC >>>>> >>>>> >>>> 4301, >>>> >>>> >>>>> is augmented to include a ROHC parameters element as follows: >>>>> >>>>> Processing ::= SEQUENCE { >>>>> extSeqNum BOOLEAN, -- TRUE 64 bit counter, FALSE 32 >>>>> >>>>> >>>> bit >>>> >>>> >>>>> seqOverflow BOOLEAN, -- TRUE rekey, FALSE terminate & >>>>> >>>>> >>>> audit >>>> >>>> >>>>> fragCheck BOOLEAN, -- TRUE stateful fragment >>>>> >> checking, >> >>>>> -- FALSE no stateful fragment >>>>> >>>>> >>>> checking >>>> >>>> >>>>> lifetime SALifetime, >>>>> spi ManualSPI, >>>>> algorithms ProcessingAlgs, >>>>> rohc RohcParams, >>>>> tunnel TunnelOptions OPTIONAL >>>>> } >>>>> >>>>> The following data structures describe these ROHC parameters: >>>>> >>>>> RohcParams ::= SEQUENCE { >>>>> rohcEnabled BOOLEAN, -- TRUE, hdr compression >>>>> >> is >> >>>> enabled >>>> >>>> >>>>> -- FALSE, hdr compression >>>>> >> is >> >>>> disabled >>>> >>>> >>>>> maxCID INTEGER (0..16383), >>>>> mrru INTEGER, >>>>> profiles RohcProfiles, >>>>> rohcIntegAlg RohcIntegAlgs, >>>>> rohcIntegICVLength INTEGER >>>>> } >>>>> >>>>> RohcProfiles ::= SET OF RohcProfile >>>>> >>>>> RohcProfile ::= INTEGER { >>>>> rohcv1-rtp (1), >>>>> rohcv1-udp (2), >>>>> rohcv1-esp (3), >>>>> rohcv1-ip (4), >>>>> >>>>> rohcv1-tcp (6), >>>>> rohcv1-rtp-udpLite (7), >>>>> rohcv1-udpLite (8), >>>>> >>>>> rohcv2-rtp (257), >>>>> rohcv2-udp (258), >>>>> rohcv2-esp (259), >>>>> rohcv2-ip (260), >>>>> >>>>> rohcv2-rtp-udpLite (263), >>>>> rohcv2-udpLite (264) >>>>> } >>>>> >>>>> RohcIntegAlgs ::= SEQUENCE { >>>>> algorithm RohcIntegAlgType, >>>>> parameters ANY -- DEFINED BY algorithm -- OPTIONAL } >>>>> >>>>> RohcIntegAlgType ::= INTEGER { >>>>> none (0), >>>>> auth-HMAC-MD5-96 (1), >>>>> auth-HMAC-SHA1-96 (2), >>>>> auth-DES-MAC (3), >>>>> auth-KPDK-MD5 (4), >>>>> auth-AES-XCBC-96 (5), >>>>> auth-HMAC-MD5-128 (6), >>>>> auth-HMAC-SHA1-160 (7), >>>>> auth-AES-CMAC-96 (8), >>>>> auth-AES-128-GMAC (9), >>>>> auth-AES-192-GMAC (10), >>>>> auth-AES-256-GMAC (11), >>>>> auth-HMAC-SHA2-256-128 (12), >>>>> auth-HMAC-SHA2-384-192 (13), >>>>> auth-HMAC-SHA2-512-256 (14) >>>>> -- tbd (15..65535) >>>>> } >>>>> >>>>> I think that does it! Let me know if this looks good to you. >>>>> >>>>> V/R, >>>>> Emre >>>>> >>>>> >>>>> > >
- [Gen-art] Gen-art reiew of draft-ietf-rohc-ipsec-… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies
- Re: [Gen-art] Gen-art reiew of draft-ietf-rohc-ip… Elwyn Davies