IETF Logo Mail Archive

Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 19 June 2013 22:12 UTC

Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B5C21F9E4A for <hipsec@ietfa.amsl.com>; Wed, 19 Jun 2013 15:12:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h+cS5CF8qID for <hipsec@ietfa.amsl.com>; Wed, 19 Jun 2013 15:12:08 -0700 (PDT)
Received: from blv-mbsout-01.boeing.com (blv-mbsout-01.boeing.com [130.76.32.231]) by ietfa.amsl.com (Postfix) with ESMTP id 6B03521F9C2F for <hipsec@ietf.org>; Wed, 19 Jun 2013 15:12:01 -0700 (PDT)
Received: from blv-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by blv-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r5JMCeYQ009544 for <hipsec@ietf.org>; Wed, 19 Jun 2013 15:12:40 -0700
Received: from XCH-NWHT-09.nw.nos.boeing.com (xch-nwht-09.nw.nos.boeing.com [130.247.25.115]) by blv-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r5JMCdRf009539 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 19 Jun 2013 15:12:40 -0700
Received: from XCH-NW-16V.nw.nos.boeing.com ([130.247.25.238]) by XCH-NWHT-09.nw.nos.boeing.com ([130.247.25.115]) with mapi; Wed, 19 Jun 2013 15:11:59 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: 'Petri Jokela' <petri.jokela@nomadiclab.com>, HIP <hipsec@ietf.org>
Date: Wed, 19 Jun 2013 15:11:58 -0700
Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis
Thread-Index: Ac5ozHyOuGZXe0jnRhme264uf4JvpwEbLrHg
Message-ID: <758141CC3D829043A8C3164DD3D593EA2EA6C32580@XCH-NW-16V.nw.nos.boeing.com>
References: <512C6912.1070206@ericsson.com> <758141CC3D829043A8C3164DD3D593EA2E513280A6@XCH-NW-16V.nw.nos.boeing.com> <1F03C185-5919-48BE-9492-90A7049A8F46@nomadiclab.com>
In-Reply-To: <1F03C185-5919-48BE-9492-90A7049A8F46@nomadiclab.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Cc: "rgm@icsalabs.com" <rgm@icsalabs.com>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 22:12:15 -0000

> -----Original Message-----
> From: Petri Jokela [mailto:petri.jokela@nomadiclab.com]
> Sent: Thursday, June 13, 2013 11:58 PM
> To: Henderson, Thomas R; HIP
> Cc: rgm@icsalabs.com; jan.melen@nomadiclab.com Melen
> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis
> 
> 
> On 11.3.2013, at 23.57, Henderson, Thomas R wrote:
> 
> > This is a WGLC review of RFC5202-bis.
> >
> > This draft seems to be close to being ready.  There are two areas
> (more detail below) that IMO could be clarified or else left out of
> scope:
> >
> > 1) handling of simultaneous IPsec and HIP ESP
> 
> 
> Hi,
> 
> I somehow missed this point when I was fixing the document. I'm not
> sure what we should do with this, any comments or suggestions?

I posted the comment, which said:

"Section 3.4, third paragraph.  I don't know the basis for the assertion that HIP SA processing takes place always before the IPsec processing.  Isn't this implementation dependent?  What HIP processing is being referred to here, pseudo-header manipulation, or more?  Can we delete this paragraph, or otherwise clarify? "


> Currently the document says:
> 
> 3.4.  IPsec and HIP ESP Implementation Considerations
> 
>    When HIP is run on a node where a standards compliant IPsec is used,
>    some issues have to be considered.
> 
>    The HIP implementation must be able to co-exist with other IPsec
>    keying protocols.  When the HIP implementation selects the SPI
> value,
>    it may lead to a collision if not implemented properly.  To avoid
> the
>    possibility for a collision, the HIP implementation MUST ensure that
>    the SPI values used for HIP SAs are not used for IPsec or other SAs,
>    and vice versa.
> 
>    In the sending host, the HIP SA processing takes place always before
>    the IPsec processing.  Vice versa, at the receiving host, the IPsec
>    processing is done first for incoming packets and the decrypted
>    packet is further given to the HIP processing.
> 
>    Incoming packets using an SA that is not negotiated by HIP MUST NOT
>    be processed as described in Section 3.2, paragraph 2.  The SPI will
>    identify the correct SA for packet decryption and MUST be used to
>    identify that the packet has an upper-layer checksum that is
>    calculated as specified in [I-D.ietf-hip-rfc5201-bis].
> 
> 


I propose to delete the paragraph starting with "In the sending host,..." if there are no other comments.  I don't understand the use case that is suggested by this paragraph.

- Tom

v2.23.0 | Report a Bug | By Email