[IPsec] Some comments to the draft-ietf-ipsecme-qr-ikev2-01.txt
Tero Kivinen <kivinen@iki.fi> Tue, 06 February 2018 17:34 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214B912D811; Tue, 6 Feb 2018 09:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t06h60qAWnCF; Tue, 6 Feb 2018 09:34:55 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A93127136; Tue, 6 Feb 2018 09:34:51 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w16HYkPQ002795 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 Feb 2018 19:34:46 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w16HYkcq000019; Tue, 6 Feb 2018 19:34:46 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23161.59190.256739.684496@fireball.acr.fi>
Date: Tue, 06 Feb 2018 19:34:46 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: draft-ietf-ipsecme-qr-ikev2@ietf.org
CC: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 33 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0GqLCJBoKJipDQyDYB-GFPbzTIc>
Subject: [IPsec] Some comments to the draft-ietf-ipsecme-qr-ikev2-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 17:34:57 -0000
While approving the IANA expert request for this document I noticed
some things that might require some fixes to the draft:
--
In section 1.1 (which will be removed) there is typo in PPK_SUUPORT.
--
In section 3 it would be better to use the same format than what is
used in the RFC7296 when using notify payloads with data in it, i.e.
replace
N(PPK_IDENTITY)(PPK_ID)
with
N(PPK_IDENTITY, PPK_ID)
(see example use in RFC7296 section 2.8.1 or RFC5685).
--
In section 4 there is text saying:
If the responder has not been upgraded and properly configured,
they will both realize it, and in that case, the link will be
quantum secure.
I think there is something wrong with that. If the responder is not
upgraded, then link will not be quantum safe. Same if it is not
properly configured. I think it is trying to say that "If the
responder has been upgraded and ..."
--
In appendix A there is text saying:
By limiting our changes to notifications, and translating the
nonces, it is hoped that this would be implementable, even on
systems that perform much of the IKEv2 processing is in hardware.
I think the text "translating the nonces" is leftover from old design
and should be changed to reflect the fact that this now changes the
SK_d, SK_pi and SK_pr.
--
kivinen@iki.fi
- [IPsec] Some comments to the draft-ietf-ipsecme-q… Tero Kivinen
- Re: [IPsec] Some comments to the draft-ietf-ipsec… Valery Smyslov