[IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
<Pasi.Eronen@nokia.com> Thu, 17 September 2009 13:04 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A25E73A6A00 for <ipsec@core3.amsl.com>; Thu, 17 Sep 2009 06:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.409
X-Spam-Level:
X-Spam-Status: No, score=-6.409 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRp76s1QDbV4 for <ipsec@core3.amsl.com>; Thu, 17 Sep 2009 06:04:27 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 6F7E23A689F for <ipsec@ietf.org>; Thu, 17 Sep 2009 06:04:27 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n8HD4q5V002126 for <ipsec@ietf.org>; Thu, 17 Sep 2009 16:05:09 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:14 +0300
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:13 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:09 +0300
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Thu, 17 Sep 2009 15:05:06 +0200
From: Pasi.Eronen@nokia.com
To: ipsec@ietf.org
Date: Thu, 17 Sep 2009 15:05:04 +0200
Thread-Topic: AD review comments for draft-ietf-ipsecme-traffic-visibility
Thread-Index: Aco3l3kkjbL+0N0PT/mqG6eTSIFVVA==
Message-ID: <808FD6E27AD4884E94820BC333B2DB773C06B22D72@NOK-EUMSG-01.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Sep 2009 13:05:09.0525 (UTC) FILETIME=[7C1B8C50:01CA3797]
X-Nokia-AV: Clean
Subject: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2009 13:04:28 -0000
I've now done my AD review for draft-ietf-ipsecme-traffic-visibility-08. I have two substantive comments, and a bunch of minor clarifications/nits. The substantive comments first: - A question: did the WG discuss the pros and cons of integrity protecting the WESP header? (This does make WESP more complex to implement, and currently the WESP header does not contain any data that would benefit from integrity protection in any way.) - IPv6 requires extension headers to be aligned on 8-octet boundaries, and I believe this requirement applies to ESP, too (see e.g. RFC 4303 Section 2.3, 2nd paragraph). All current ESP specs (all encryption algorithms, UDP encapsulation, etc.) meet the 8-octet alignment requirement -- but adding a new four-octet header there obviously breaks it. Some minor clarifications/editorial nits: - The text currently uses "using ESP-NULL [RFC2410]" and "unencrypted" as synonyms. This was accurate before RFC4543, but is not any more. This needs some clarifying text somewhere (perhaps Section 1). - Section 1 needs a sentence or two motivating the existence of the "E" bit -- currently it comes as a surprise to the reader later. - Section 2/2.1: In Figures 1, 2, and 3, the bit numbers should be shifted one character to the right. - Section 2: In some parts of the text, the last 8 bits of the WESP header are called "Flags"; in other parts, the last 5 bits are called "Flags". I'd suggest changing e.g. Figure 2 so that last 5 bits are called "Rsvd" or something. - Section 2: "The bits are defined LSB first, so bit 0 would be the least significant bit of the flags octet." This doesn't match the bit numbering in Figure 2 (where bit 0 is the most significant bit). However, the bit numbers are not really used anywhere, so I would just suggest deleting this sentence. - Section 2: It would be helpful if the text explicitly said that HdrLen values less than 12 are invalid (and probably HdrLen values that are not multiple of 4 are invalid, and multiple of 8 for IPv6 case). - Section 2: the text about TrailerLen is a bit unclearly written -- the offset from the end of the packet to the last byte of the payload would be a negative number. I'd suggest phrasing this something like the "The number of bytes following the payload data in the packet, in octets: i.e. the total length of TFC Padding (normally not present for unencrypted packets), ESP Trailer (Padding, Pad Length, Next Header), and ESP ICV." - Section 2: "the packet must be dropped" -> "the packet MUST be dropped" - The figures in 2.2.1 and 2.2.2 are very confusing, since they suggest WESP could be applied as a separate step after ESP processing (that was possible in some earlier versions of the draft, but not any more since ICV covers the WESP header). Since they don't really present much new compared to the figures in RFC 4303 Section 3.1.1/3.1.2, perhaps they could be omitted? Or if we want to keep them, they probably should show the packet before applying ESP? - Section 3: s/IPSec/IPsec/ - Section 4: this section is missing the allocation of SPI value 2 to indicate WESP from the "SPI Values" registry. - Section 4 should say that for the WESP Version Number, the unassigned values are 1, 2, and 3. - Section 6: [RFC4306], [RFC3948], and [RFC5226] should be normative references, not informative. Best regards, Pasi
- [IPsec] AD review comments for draft-ietf-ipsecme… Pasi.Eronen
- [IPsec] AD review comments for draft-ietf-ipsecme… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Grewal, Ken
- Re: [IPsec] AD review comments for draft-ietf-ips… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Yaron Sheffer
- Re: [IPsec] AD review comments for draft-ietf-ips… gabriel montenegro
- Re: [IPsec] AD review comments for draft-ietf-ips… Pasi.Eronen