Re: [IPsec] IETFLC comments for draft-ietf-ipsecme-ikev2bis-08
Paul Hoffman <paul.hoffman@vpnc.org> Sun, 07 March 2010 01:27 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47A8E28C227; Sat, 6 Mar 2010 17:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.919
X-Spam-Level:
X-Spam-Status: No, score=-5.919 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ueKNvSvxvt0; Sat, 6 Mar 2010 17:27:33 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 37E6428C226; Sat, 6 Mar 2010 17:27:33 -0800 (PST)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o271RYHE081831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 6 Mar 2010 18:27:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240810c7b8ad71932e@[10.20.30.158]>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB7758482FF051@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB7758482FF051@NOK-EUMSG-01.mgdnok.nokia.com>
Date: Sat, 06 Mar 2010 17:27:32 -0800
To: Pasi.Eronen@nokia.com, ietf@ietf.org, ipsec@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [IPsec] IETFLC comments for draft-ietf-ipsecme-ikev2bis-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 01:27:34 -0000
At 12:55 PM +0100 3/6/10, <Pasi.Eronen@nokia.com> wrote: >Editorial suggestions/nits: > >- Section 2.7, last paragraph, is in wrong place; rest of 2.7 has >nothing to do with this topic, which is in 2.6. Suggested place: 2.6, >end of paragraph starting with "In the first message". >Also, "the responder's SPI will be zero" should be "the responder's >SPI will be zero also in the response message" (since the responder's >SPI is always zero in the IKE_SA_INIT request, but that's not what >this paragraph is about). Agree. >- One of the changes is listed in Section 1.7 twice. I'd suggest >combining > > In section 1.3.2, changed "The KEi payload SHOULD be included" to be > "The KEi payload MUST be included". This also led to changes in > section 2.18. > >and > > Section 2.18 requires doing a Diffie-Hellman exchange when rekeying > the IKE_SA. In theory, RFC 4306 allowed a policy where the Diffie- > Hellman exchange was optional, but this was not useful (or > appropriate) when rekeying the IKE_SA. > >as follows: > > This document requires doing a Diffie-Hellman exchange when > rekeying the IKE_SA (and thus requires including the KEi/KEr > payloads). In theory, RFC 4306 allowed a policy where the > Diffie-Hellman exchange was optional (and KEi/KEr payloads could be > omitted), this was not useful (or appropriate) when rekeying the > IKE_SA. Disagree. Where possible, I tried to list the actual sections where changes were made, and your proposed rewording loses the two places. The current text is more explicit than the proposed change. >- Section 2.8.2, last paragraph: it's not quite obvious why this >should be negotiated (the reason is that this notification was not >included in RFC 4306, but this section never says that). Suggested >rephrasing > > The TEMPORARY_FAILURE notification was not included in RFC 4306, > and support of the TEMPORARY_FAILURE notification is not negotiated. > Thus, older peers (implementing RFC 4306) may receive [... rest > of the paragraph unchanged...] Agree. >- Section 2.23, paragraph starting: "An initiator can use...". >IKEv2 packets are always over UDP, so IMHO the text would benefit >from some more precision when talking about UDP encapsulation. >Suggested edits: > >OLD: > An initiator can use port 4500 for both IKE and ESP, regardless of > whether or not there is a NAT, even at the beginning of IKE. When > either side is using port 4500, sending with UDP encapsulation is not > required, but understanding received IKE and ESP packets with UDP > encapsulation is required. UDP encapsulation MUST NOT be done on > port 500. If NAT-T is supported (that is, if NAT_DETECTION_*_IP > payloads were exchanged during IKE_SA_INIT), all devices MUST be able > to receive and process both UDP encapsulated and non-UDP encapsulated > packets at any time. Either side can decide whether or not to use > UDP encapsulation irrespective of the choice made by the other side. > However, if a NAT is detected, both devices MUST send UDP > encapsulated packets. >NEW: > An initiator can use port 4500 for both IKE and ESP, regardless of > whether or not there is a NAT, even at the beginning of IKE. When > either side is using port 4500, sending ESP with UDP encapsulation > is not required, but understanding received UDP encapsulated ESP > packets is required. If NAT-T is supported (that is, if > NAT_DETECTION_*_IP payloads were exchanged during IKE_SA_INIT), all > devices MUST be able to receive and process both UDP encapsulated > ESP and non-UDP encapsulated ESP packets at any time. Either side > can decide whether or not to use UDP encapsulation for ESP > irrespective of the choice made by the other side. However, if a > NAT is detected, both devices MUST use UDP encapsulation for ESP. Yes, that's clearer. >- Section 3.5: "ID_IPV6_ADDR instead of ID_IPV6_ADDR" should >be "...instead of ID_IPV4_ADDR"? Yep. >- Reference [PKIX] should be updated from RFC 3280 to 5280. Sure. >- Section 2.23.1, "hve" -> "have" Done. --Paul Hoffman, Director --VPN Consortium
- [IPsec] IETFLC comments for draft-ietf-ipsecme-ik… Pasi.Eronen
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Paul Hoffman
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Pasi.Eronen
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Tero Kivinen
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Paul Hoffman
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Tero Kivinen
- [IPsec] IETFLC comments for draft-ietf-ipsecme-ik… Keith Welter
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… Yoav Nir
- Re: [IPsec] IETFLC comments for draft-ietf-ipsecm… V Jyothi-B22245