Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis
Petri Jokela <petri.jokela@nomadiclab.com> Fri, 14 June 2013 06:57 UTC
Return-Path: <petri.jokela@nomadiclab.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72FAF21F9C3D for <hipsec@ietfa.amsl.com>; Thu, 13 Jun 2013 23:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGQPr6yLmiaV for <hipsec@ietfa.amsl.com>; Thu, 13 Jun 2013 23:57:45 -0700 (PDT)
Received: from gw.nomadiclab.com (gw.nomadiclab.com [193.234.218.122]) by ietfa.amsl.com (Postfix) with ESMTP id 0C03E21F9C3F for <hipsec@ietf.org>; Thu, 13 Jun 2013 23:57:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id B5A9C4E6EC; Fri, 14 Jun 2013 09:57:41 +0300 (EEST)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8npwpwqe6I2; Fri, 14 Jun 2013 09:57:41 +0300 (EEST)
Received: from [IPv6:::1] (inside.nomadiclab.com [10.0.0.2]) by gw.nomadiclab.com (Postfix) with ESMTP id 155144E6D4; Fri, 14 Jun 2013 09:57:40 +0300 (EEST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Petri Jokela <petri.jokela@nomadiclab.com>
In-Reply-To: <758141CC3D829043A8C3164DD3D593EA2E513280A6@XCH-NW-16V.nw.nos.boeing.com>
Date: Fri, 14 Jun 2013 09:57:40 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F03C185-5919-48BE-9492-90A7049A8F46@nomadiclab.com>
References: <512C6912.1070206@ericsson.com> <758141CC3D829043A8C3164DD3D593EA2E513280A6@XCH-NW-16V.nw.nos.boeing.com>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>, HIP <hipsec@ietf.org>
X-Mailer: Apple Mail (2.1283)
Cc: rgm@icsalabs.com
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2013 06:57:50 -0000
On 11.3.2013, at 23.57, Henderson, Thomas R wrote: > This is a WGLC review of RFC5202-bis. > > This draft seems to be close to being ready. There are two areas (more detail below) that IMO could be clarified or else left out of scope: > > 1) handling of simultaneous IPsec and HIP ESP Hi, I somehow missed this point when I was fixing the document. I'm not sure what we should do with this, any comments or suggestions? Currently the document says: 3.4. IPsec and HIP ESP Implementation Considerations When HIP is run on a node where a standards compliant IPsec is used, some issues have to be considered. The HIP implementation must be able to co-exist with other IPsec keying protocols. When the HIP implementation selects the SPI value, it may lead to a collision if not implemented properly. To avoid the possibility for a collision, the HIP implementation MUST ensure that the SPI values used for HIP SAs are not used for IPsec or other SAs, and vice versa. In the sending host, the HIP SA processing takes place always before the IPsec processing. Vice versa, at the receiving host, the IPsec processing is done first for incoming packets and the decrypted packet is further given to the HIP processing. Incoming packets using an SA that is not negotiated by HIP MUST NOT be processed as described in Section 3.2, paragraph 2. The SPI will identify the correct SA for packet decryption and MUST be used to identify that the packet has an upper-layer checksum that is calculated as specified in [I-D.ietf-hip-rfc5201-bis]. /petri
- [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Gonzalo Camarillo
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Henderson, Thomas R
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Petri Jokela
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Ari Keränen
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Henderson, Thomas R
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Petri Jokela
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Gonzalo Camarillo
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Henderson, Thomas R
- Re: [Hipsec] WGLC: draft-ietf-hip-rfc5202-bis Henderson, Thomas R