Comments to draft-ietf-ippm-ipsec-08
Tero Kivinen <kivinen@iki.fi> Thu, 29 January 2015 10:36 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51CF11A019B; Thu, 29 Jan 2015 02:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT203VrjwuQ4; Thu, 29 Jan 2015 02:36:54 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E4391A0193; Thu, 29 Jan 2015 02:36:54 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t0TAaqem027534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Jan 2015 12:36:52 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t0TAamvt007364; Thu, 29 Jan 2015 12:36:48 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21706.3392.910550.950465@fireball.kivinen.iki.fi>
Date: Thu, 29 Jan 2015 12:36:48 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ietf@ietf.org
Subject: Comments to draft-ietf-ippm-ipsec-08
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 18 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/7fMlYAfDFxiBEeXpF_HQqm-tC0I>
Cc: draft-ietf-ippm-ipsec.all@tools.ietf.org, ippm@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 10:36:55 -0000
In the whole draft there are several cases where IPsec is spelled incorrectly (IPSec). -- In section 5.3 there is text saying: The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can uniquely identify the Security Association (SA). If the client supports the derivation of shared secret key from IKEv2 SA, it will choose the corresponding mode value and carry SPIi and SPIr in the Key ID field. SPIi and SPIr MUST be included in the Key ID field of Set-Up-Response Message to indicate the IKEv2 SA from which the O/ TWAMP shared secret key derived from. The length of SPI is 4 octets. ^ Therefore, the first 4 octets of Key ID field MUST carry SPIi and the ^ second 4 octets MUST carry SPIr. The remaining bits of the Key ID ^ field MUST set to zero. This is wrong. The SPIi and SPIr in the IKEv2 SA are 8 octets each. The ESP and AH SPI is 4 octets, for IKEv2 SA it is 8+8. Also in the next paragraph it should say "first 16 octets" not "first 8 octets". -- In section 5.4 you there is text: ... If the two endpoints are already connected through an IPSec tunnel it is RECOMMENDED that the O/TWAMP measurement packets are forwarded over the IPSec tunnel if the peers choose the unauthenticated mode in order to ensure authenticity and security. Part of the IPsec architecture model specifies policy rules which dictate which packets go to the tunnel and which do not. This text above seems to indicate that someone else than the policy rules could say that those O/TWAMP measurement packets might ignore those policy rules and go out bypassing those rules. I think it would be better to rewrite the text above to reflect that the IPsec policy model is followed with those packets just as for any other packets. I.e. the normal case would be that IPsec policy rules will specify whether the measurement packets go to the tunnel or not. If I understand correctly that this text tries to say that IPsec tunnel should be configured so that it SHOULD include O/TWAMP measurement packets, even when using unauthenticated mode, to ensure authenticity and security. -- kivinen@iki.fi
- Comments to draft-ietf-ippm-ipsec-08 Tero Kivinen
- AW: Comments to draft-ietf-ippm-ipsec-08 Kostas Pentikousis