[IPsec] Some thoughts on draft-ietf-ipsecme-roadmap[-01]
Alfred Hönes <ah@tr-sys.de> Mon, 09 March 2009 22:35 UTC
Return-Path: <A.Hoenes@tr-sys.de>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BB363A6A04 for <ipsec@core3.amsl.com>; Mon, 9 Mar 2009 15:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.708
X-Spam-Level: *
X-Spam-Status: No, score=1.708 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, GB_I_LETTER=-2, HELO_EQ_DE=0.35, MANGLED_LIST=2.3, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1Mjh9ax+IbS for <ipsec@core3.amsl.com>; Mon, 9 Mar 2009 15:35:01 -0700 (PDT)
Received: from WOTAN.TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 9A25628C0D8 for <ipsec@ietf.org>; Mon, 9 Mar 2009 15:35:00 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA259628017; Mon, 9 Mar 2009 23:33:37 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id XAA06138; Mon, 9 Mar 2009 23:33:36 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200903092233.XAA06138@TR-Sys.de>
To: draft-ietf-ipsecme-roadmap@tools.ietf.org, ipsec@ietf.org
Date: Mon, 09 Mar 2009 23:33:35 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Subject: [IPsec] Some thoughts on draft-ietf-ipsecme-roadmap[-01]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2009 22:35:06 -0000
Below are a few thoughts that came to my mind studying draft-ietf-ipsecme-roadmap. Admittedly, this review has originally been done for the -00 draft, and new material in the recent -01 has only been skimmed over quickly, but I hope that these considerations will be useful anyway. (A) Section 2.1 There are some more clearly distinct categories of documents, some new for the current version of IPsec / IKEv2 : o documents extending the architecture (MSEC etc., some are mentioned in section 6/8) -- this also comprises BTNS; o documents specifying key management extensions / alternatives to IKEv2 (also overlap with MSEC and BTNS!); o documents expanding the set of Authentication methods for IKEv2, in particular EAP methods suitable for IKEv2; o documents specifiying / advising on the application of IPsec in specific contexts / for specific applications. Should Sect. 2.1/2.* be amended with such categories? Would these groupings provide guidelines for another (perferable?) grouping of parts of Sect. 6..8 ? (B) Use of alternate cryptographic building blocks: Documents for IPsec transforms based on SEED and GOST primitives are not mentioned in the document so far. For more details regarding Camellia, see below. Linear walk-through including nits ++++++++++++++++++++++++++++++++++ (1) Sect.1 Only very specific RFCs specify their publication *date* (perhaps wait 3 weeks to see such!), they regularly only give the *month* -- and so does this memo. So I suggests to s/date/month/ . (2) Sect. 2.2.1, 1st para (recurs in 2.3.1) "IPsec ... use _in_ other protocols." does not match the protocol layering and might therefore be considered confusing. I suggest "use _with_ other protocols." (3) Sect. 3.1 -- "headers" Hmmm -- ESP is not a "header" , it is an encapsulation (as the 'E' in the acronyme says), having a header and a trailer part and an embedded encrypted payload (unless NULL encryption is used). Suggestion: s/[extension] headers/payload [protection] protocols/ . (4) Sect. 3.1.1 (RFC 2401) : s/the the/the/ (SAD) : s/factilitate/facilitate/ ^ (5) Sect. 3.1.2 "[RFC4301] updates [RFC2401]," Hmmm -- RFC 4301 indeed replaced / succeeded / superseded / *Obsoleted* RFC 2401 ! Similar for 2402 --> 4302 and 2406 --> 4303 . (6) Sect. 3.5 (RFC 5406) : Text should be amended to indicate that this memo is related to "Old" IPsec only! (7) Sect. 4.1.2 (RFC 4306) : s/DOI.It/DOI. It/ (8) Sect. 4.2.2 (RFC 4806) : s/(e.g. firewall)/(e.g., in a firewall)/ (9) Sect. 5.2 1st para: s/integrity(protection/integrity protection/ ^ ^ (RFC 4312) Updates are in progress for the use of Camellia in IPsec ... (draft-kato-ipsec-camellia-modes, draft-kato-camellia-ctrccm) (10) Sect. 5.3 The Japanese Cryptographic community is also in the process of defining integrity transforms based on Camellia in place of AES, for all common cipher-based integrity protection transforms. (11) Sect. 5.4, 1st para The IPsec documents generally reserve the term 'algorithm' to cryptographic primitives, and denotes the higher-level buliding blocks specifically customized to IPsec / IKEv* as "crytographic transforms". Thus, s/algorithm/"transform"/g ?? (12) Sect. 5.4 The Camellia documents mentioned above also introduce Camellia-CCM; another work-in-progress, draft-kato-ipsec-camellia-gcm, adds Camellia-GCM; both documents should perhaps be listed as well. (13) Sect. 5.5 The Camellia document set also is going to define Camellia-based PRFs for IKEv2. Should these be listed as well? (14) Sect. 5.6, 1st para -- "inifinite number" Combining transforms from finite sets of IANA registered algorithms and their finite variety of applicable parameter values, thank God, only yields a *finite* set of working combinations. "Infinite" should not be used thoughtlessly! (A similar issue recurs in Sect. 6, 1st para) (15) Sect. 5.7 -- headline IMHO, "Diffie-Hellman Algorithms" is perhaps too narrow. Why not use the more 'functional' and precise term, "Key Agreement Algorithms" ? (16) Sect. 7.6 (16a) headline The acronyms of DNS resource record types are written in all uppercase letters; so sorry, s/IPsecKEY/IPSECKEY/ ! ;-) (16b) body s/material in DNS/material in the DNS/ (17) References s/[RFC 5410]/[RFC5410]/ ^ Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [IPsec] Some thoughts on draft-ietf-ipsecme-roadm… Alfred Hönes