AW: Comments to draft-ietf-ippm-ipsec-08
Kostas Pentikousis <k.pentikousis@eict.de> Wed, 11 February 2015 16:59 UTC
Return-Path: <k.pentikousis@eict.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCAA41A8A1E; Wed, 11 Feb 2015 08:59:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMQ92n14MYtn; Wed, 11 Feb 2015 08:59:21 -0800 (PST)
Received: from mx2.eict.de (mx2.eict.de [212.91.241.168]) by ietfa.amsl.com (Postfix) with ESMTP id 7317B1A8A14; Wed, 11 Feb 2015 08:59:21 -0800 (PST)
Received: by mx2.eict.de (Postfix, from userid 481) id DD9201FF5A; Wed, 11 Feb 2015 17:59:20 +0100 (CET)
Received: from mail.eict.de (mx1 [172.16.6.1]) by mx2.eict.de (Postfix) with ESMTP id 2605C1FF54; Wed, 11 Feb 2015 17:59:20 +0100 (CET)
Received: from sbs2008.eict.local (sbs2008.intern.eict.de [192.168.2.11]) by mail.eict.de (Postfix) with ESMTP id AC53F378057; Wed, 11 Feb 2015 17:59:19 +0100 (CET)
Received: from SBS2008.eict.local ([fe80::2051:ef24:c7c9:f298]) by SBS2008.eict.local ([fe80::2051:ef24:c7c9:f298%13]) with mapi; Wed, 11 Feb 2015 17:59:19 +0100
From: Kostas Pentikousis <k.pentikousis@eict.de>
To: Tero Kivinen <kivinen@iki.fi>, "ietf@ietf.org" <ietf@ietf.org>
Date: Wed, 11 Feb 2015 17:59:17 +0100
Subject: AW: Comments to draft-ietf-ippm-ipsec-08
Thread-Topic: Comments to draft-ietf-ippm-ipsec-08
Thread-Index: AdA7r6bFzWX+aUnzQRudpKpMngeaaAKbD3rw
Message-ID: <0C7EDCF89AB9E2478B5D010026CFF4AEB5AB748D11@SBS2008.eict.local>
References: <21706.3392.910550.950465@fireball.kivinen.iki.fi>
In-Reply-To: <21706.3392.910550.950465@fireball.kivinen.iki.fi>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/QlbUq-FWshLb6xNRoWfXjir7OUk>
X-Mailman-Approved-At: Fri, 13 Feb 2015 08:58:18 -0800
Cc: "draft-ietf-ippm-ipsec.all@tools.ietf.org" <draft-ietf-ippm-ipsec.all@tools.ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 16:59:24 -0000
Dear Tero, Many thanks for catching that. Much appreciated. We have now updated the document accordingly. Best regards, Kostas | -----Ursprüngliche Nachricht----- | Von: Tero Kivinen [mailto:kivinen@iki.fi] | Gesendet: Donnerstag, 29. Januar 2015 11:37 | An: ietf@ietf.org | Cc: ippm@ietf.org; draft-ietf-ippm-ipsec.all@tools.ietf.org | Betreff: Comments to draft-ietf-ippm-ipsec-08 | | In the whole draft there are several cases where IPsec is spelled incorrectly | (IPSec). | | -- | | In section 5.3 there is text saying: | | The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can | uniquely identify the Security Association (SA). If the client | supports the derivation of shared secret key from IKEv2 SA, it will | choose the corresponding mode value and carry SPIi and SPIr in the | Key ID field. SPIi and SPIr MUST be included in the Key ID field of | Set-Up-Response Message to indicate the IKEv2 SA from which the O/ | TWAMP shared secret key derived from. The length of SPI is 4 octets. | ^ | Therefore, the first 4 octets of Key ID field MUST carry SPIi and the | ^ | second 4 octets MUST carry SPIr. The remaining bits of the Key ID | ^ | field MUST set to zero. | | This is wrong. The SPIi and SPIr in the IKEv2 SA are 8 octets each. | The ESP and AH SPI is 4 octets, for IKEv2 SA it is 8+8. Also in the next | paragraph it should say "first 16 octets" not "first 8 octets". | | -- | | In section 5.4 you there is text: | | ... If | the two endpoints are already connected through an IPSec tunnel it | is RECOMMENDED that the O/TWAMP measurement packets are forwarded | over the IPSec tunnel if the peers choose the unauthenticated mode | in order to ensure authenticity and security. | | Part of the IPsec architecture model specifies policy rules which dictate | which packets go to the tunnel and which do not. This text above seems to | indicate that someone else than the policy rules could say that those O/TWAMP | measurement packets might ignore those policy rules and go out bypassing those | rules. | | I think it would be better to rewrite the text above to reflect that the IPsec | policy model is followed with those packets just as for any other packets. | I.e. the normal case would be that IPsec policy rules will specify whether the | measurement packets go to the tunnel or not. | If I understand correctly that this text tries to say that IPsec tunnel should | be configured so that it SHOULD include O/TWAMP measurement packets, even when | using unauthenticated mode, to ensure authenticity and security. | -- | kivinen@iki.fi
- Comments to draft-ietf-ippm-ipsec-08 Tero Kivinen
- AW: Comments to draft-ietf-ippm-ipsec-08 Kostas Pentikousis