IETF Logo Mail Archive

Re: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03

Scott C Moonen <smoonen@us.ibm.com> Fri, 21 August 2009 13:42 UTC

Return-Path: <smoonen@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1269628C127; Fri, 21 Aug 2009 06:42:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xa9qNVF9hjLn; Fri, 21 Aug 2009 06:42:04 -0700 (PDT)
Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by core3.amsl.com (Postfix) with ESMTP id 66A343A698B; Fri, 21 Aug 2009 06:42:04 -0700 (PDT)
Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com [9.17.195.227]) by e34.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id n7LDc2Ne002665; Fri, 21 Aug 2009 07:38:02 -0600
Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id n7LDflDn093370; Fri, 21 Aug 2009 07:41:48 -0600
Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id n7LDgjgs011285; Fri, 21 Aug 2009 07:42:45 -0600
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id n7LDgiLr011260; Fri, 21 Aug 2009 07:42:44 -0600
In-Reply-To: <p0624082ac6b1edf08aca@[10.20.30.158]>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594E4@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120A80B@il-ex01.ad.checkpoint.com> <p0624082ac6b1edf08aca@[10.20.30.158]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
MIME-Version: 1.0
X-KeepSent: 1D5343AC:F6DBE706-85257619:003FAAD2; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.0.2 HF623 January 16, 2009
From: Scott C Moonen <smoonen@us.ibm.com>
X-MIMETrack: S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 08/21/2009 09:26:34 AM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 08/21/2009 09:26:34 AM, Serialize complete at 08/21/2009 09:26:34 AM, S/MIME Sign failed at 08/21/2009 09:26:34 AM: The cryptographic key was not found, Serialize by Router on D03NM118/03/M/IBM(Build V851_08092009|August 09, 2009) at 08/21/2009 07:41:39, Serialize complete at 08/21/2009 07:41:39
Message-ID: <OF1D5343AC.F6DBE706-ON85257619.003FAAD2-85257619.004B393F@us.ibm.com>
Date: Fri, 21 Aug 2009 09:41:38 -0400
Content-Type: multipart/alternative; boundary="=_alternative 0049D80185257619_="
Cc: ipsec@ietf.org, ipsec-bounces@ietf.org
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2009 13:42:06 -0000

I have the following comments.

1) Section 2.1, in both the text and the diagram, refers to combined-mode 
algorithms only in relation to ESP.  However, RFC 4543 defines the use of 
AES-GMAC for both ESP and AH.
2) Nit -- there are a few places that don't hyphenate "combined mode" when 
used as an adjective: "combined mode algorithm[s]" should be 
"combined-mode algorithm[s]".
3) Section 2.3.1, nit -- "at time" should read "at times".
4) Section 2.3.1, second paragraph -- The first sentence refers to two SA 
pairs and then the following sentences refer to two SAs.  Perhaps we 
should make this transition less abrupt?  I suggest inserting a sentence 
after the first to indicate that "SA" can be used to refer not only to the 
unidirectional SA but also to the pair.
5) Section 2.3.1, second paragraph -- Is it worth noting that "phase 1 SA" 
and "phase 2 SA" are also common names for the IKEv1 SAs?
6) Nit -- there are a couple spots where we have unfortunate widow/orphan 
lines.  E.g., between pp. 13/14 and 15/16.
7) Page 21 -- At the very top, the reference "psecme-2" should read 
"ipsecme-2".  Also, I'm curious why this reference is linked and some 
earlier ones (e.g., "ipsecme-3") aren't.
8) Section 5.3 -- Under RFC 2404, it mentions that SHA-1 ICVs are 
truncated to 96 bits for IPsec.  We should also mention that this 
truncation is done for IKEv2 as well.
9) Section 5.3 -- As above, AES-GMAC is a combined-mode algorithm.
10) Section 5.3 -- Under RFC 4543, it mentions that the salt "is generated 
by IKEv2".  Now that there are IANA assignments for IKEv1 to negotiate 
AES-GMAC for AH/ESP (thanks, Tero!), it seems appropriate to generalize 
this statement about the salt.
11) Section 5.3 -- Under RFC 2403, as with RFC 2404, IKEv2 truncates the 
ICV as well.
12) Section 5.4 -- Under RFC 4106, as with RFC 4543 above, we should 
generalize the statements "is generated by IKEv2" and "IKEv2 negotiations" 
to refer simply to IKE.

I glossed over some sections that aren't of significant interest to me.


Scott Moonen (smoonen@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen



From:
Paul Hoffman <paul.hoffman@vpnc.org>
To:
ipsec@ietf.org
Date:
08/19/2009 02:05 PM
Subject:
Re: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03



At 12:05 AM +0300 8/11/09, Yaron Sheffer wrote:
>This is the beginning of a two-week WG Last Call, which will end August 
24.
>The target status for this document is Informational (to obsolete RFC 
2411).
>The current document is at
>http://tools.ietf.org/html/draft-ietf-ipsecme-roadmap-03.

That was a week ago.

>If you have not read the document before now, please do so. Having fresh
>eyes on the document often brings up important issues. This document is 
very
>much a survey, so please also review it for completeness: are there
>documents that should be mentioned but aren't. Send any comments to the
>list, even if they are as simple as "I read it and it seems fine".

And, so far, we have heard nothing. *This is bad.* This is a WG document: 
that means it needs to have rough consensus of the WG. Silence is not 
consent.

>Please clearly indicate the position of any issue in the Internet Draft, 
and
>if possible provide alternative text. Indicate the nature or severity of 
the
>error or correction, e.g. major technical, minor technical, nit, so that 
we
>can quickly judge the extent of problems with the document.

...and do so within the next week.

If we do not get enough input during WG Last Call, we will have to 
reconsider how to handle this and future documents.

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.30.2 | Report a Bug | By Email | System Status