[IPsec] CORRECTION: One last review: draft-ietf-ipsecme-ikev2bis
Tero Kivinen <kivinen@iki.fi> Wed, 14 April 2010 14:25 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FA963A67D4 for <ipsec@core3.amsl.com>; Wed, 14 Apr 2010 07:25:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.134
X-Spam-Level:
X-Spam-Status: No, score=-2.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0xdq14vdq5P for <ipsec@core3.amsl.com>; Wed, 14 Apr 2010 07:25:41 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id BD0B528C27F for <ipsec@ietf.org>; Wed, 14 Apr 2010 07:25:02 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3EEOqne022885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Apr 2010 17:24:52 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3EEOpMc001267; Wed, 14 Apr 2010 17:24:51 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19397.53299.236897.928822@fireball.kivinen.iki.fi>
Date: Wed, 14 Apr 2010 17:24:51 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p0624084cc7e42fb449b0@[10.20.30.158]>
References: <p06240847c7e412516686@[10.20.30.158]> <p0624084cc7e42fb449b0@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 17 min
X-Total-Time: 76 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] CORRECTION: One last review: draft-ietf-ipsecme-ikev2bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2010 14:25:42 -0000
Paul Hoffman writes:
> I have revised the IKEv2bis draft with the IETF Last Call comments.
> It is available at
> <http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-09>. The
> diff is at
> <http://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-ikev2bis-09.txt>.
>
> This is the WG's final chance for review before this is sent to the
> IESG for their approval. Yaron will ask our new AD, Sean Turner, to
> send the document to the IESG sometime early next week, so please do
> a final check NOW to see whether there are any mistakes introduced
> in the -09. Thanks!
In the section 1.2 the text
The recipients of messages 3 and 4 MUST verify that all signatures
and MACs are computed correctly.
was changed to
Both parties in the IKE_SA_INIT exchange MUST verify that all
signatures and MACs are computed correctly.
which is wrong, as IKE_SA_INIT is messages 1 and 2, IKE_AUTH is the
messages 3 and 4. IKE_SA_INIT messages do not have signatures or MACs.
----------------------------------------------------------------------
In the section 2.23 the following text was removed:
"UDP encapsulation MUST NOT be done on port 500."
I think that text should still be there.
Also you removed mandatory requirement for listening port 4500 if
NAT-T is supported. So I would add the first bullet back. I do not
understand why it this was removed:
o IKE MUST listen on port 4500 as well as port 500. IKE MUST
respond to the IP address and port from which packets arrived.
Yes, the last part is explained multiple time, but it is especially
important for NAT-T case, which makes it worth of repeating in this
requirement list.
----------------------------------------------------------------------
In section 2.25 there is typo:
s/REYEY_SA/REKEY_SA/
----------------------------------------------------------------------
In section 3.3.1 the -09 version says:
"the SPI is obtained from the outer IP header."
which is completely wrong. IP header does not have SPI field, the IKE
header has SPI field. Remove the offending "IP" which was added in
last version.
--
kivinen@iki.fi
- [IPsec] One last review: draft-ietf-ipsecme-aes-c… Paul Hoffman
- [IPsec] CORRECTION: One last review: draft-ietf-i… Paul Hoffman
- Re: [IPsec] CORRECTION: One last review: draft-ie… Sean Turner
- Re: [IPsec] CORRECTION: One last review: draft-ie… Paul Hoffman
- [IPsec] CORRECTION: One last review: draft-ietf-i… Tero Kivinen
- Re: [IPsec] CORRECTION: One last review: draft-ie… Paul Hoffman