Re: [IPsec] Editorial changes to RFC5996
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 18 October 2013 14:11 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53AF811E81D9 for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 07:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5GmFl-wCJSdk for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 07:11:49 -0700 (PDT)
Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 1122D11E81C8 for <ipsec@ietf.org>; Fri, 18 Oct 2013 07:11:48 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id t10so2023616eei.26 for <ipsec@ietf.org>; Fri, 18 Oct 2013 07:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=LP9tlAnRvijQvTstUyMeFYPB2hg/NHnmHcT0ZoekBqQ=; b=ZAkB2blTEgyx2nUXjjYhv4WNZcogzQauEaWVVBe9ZeLJEQwl+c/ik0nIV9REIw4H0b YXgWD6CSLCdHw4RrMosS3MdDPi/WklS7jN1cdbaNYL9+5Bhb3Uf6LKMEpYTJn22SnXpR BtuYJC/Pd73D/ycgp62xEZFXgPc1z+bKurdKHHwgjoEJLIx00RzK7y1xB9ae+s93A3kC XrOfILuwjtlkXyA3LM3EhiKXxWk3E+cNsTt8SorO2YTa2cvYF/vi+9ceyc8XE6KiM3iU mb4tH9hXaEhIKlys/CyJGC7RorgICrnTjYgwbvar82rdz88U7yY4tqzPct9bCOB41Oa9 KbOQ==
X-Received: by 10.14.204.5 with SMTP id g5mr7416eeo.110.1382105508163; Fri, 18 Oct 2013 07:11:48 -0700 (PDT)
Received: from [10.0.0.2] (bzq-79-183-168-3.red.bezeqint.net. [79.183.168.3]) by mx.google.com with ESMTPSA id s3sm5042909eeo.3.2013.10.18.07.11.46 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Oct 2013 07:11:47 -0700 (PDT)
Message-ID: <526141A0.5030206@gmail.com>
Date: Fri, 18 Oct 2013 17:11:44 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Valery Smyslov <svanru@gmail.com>, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
References: <21087.60447.758422.672867@fireball.kivinen.iki.fi> <7C1EFED8998C4309B562F2224DD39AA2@buildpc>
In-Reply-To: <7C1EFED8998C4309B562F2224DD39AA2@buildpc>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] Editorial changes to RFC5996
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 14:11:50 -0000
Hi Valery, Sorry for being the Bad Guy on this. Your #6 does not seem editorial to me. Similarly, #8 (adding new RFC 2119 language) is not editorial. I would suggest to implement #6 only if it is critical to interoperability or security, and to forgo #8. By the way, your correction #2 still does not do it IMHO. The sentence refers to RFC 5996. So: "IKEv2 as stated in RFC 4306 was a change to the IKE protocol that was not backward compatible. RFC 5996 revised RFC 4306 to provide a clarification of IKEv2, making minimum changes to the IKEv2 protocol. The current document slightly revises RFC 5996 to make it suitable for progression to Internet Standard." Thanks, Yaron On 2013-10-18 16:52, Valery Smyslov wrote: > Hi all, > > as RFC5996 is revised, I suggest to make some editorial changes > to improve its clarity and to fix some small issues that I found. > > 1. Section 1.6 Requirements Terminology is placed far from the begining > of the document and all the requirements words, along with terms > from RFC4301 etc. are used before they are formally introduced. > I don't think it is appropriate for standards track document. > I suggest to move this section before Introduction. > > 2. Page 5: > "IKEv2 was a change to the IKE protocol that was not backward > compatible. In contrast, the current document not only provides a > clarification of IKEv2, but makes minimum changes to the IKE > protocol." > > For me this piece sounds strange. I think it should look like: > > "IKEv2 was a change to the IKE protocol that was not backward > compatible. In contrast, the current document only provides a > clarification of IKEv2, and makes minimum changes to the IKEv2 > protocol." > > 3. Page 10. > "HDR contains the Security Parameter Indexes (SPIs), version numbers, > and flags of various sorts." > > Not mentioned Message ID, Exchange Type (and Next Payload and length, > but they are not very important here). I suggest to change: > > "HDR contains the Security Parameter Indexes (SPIs), version numbers, > Type of Exchange, Message ID and flags of various sorts." > > 4. Page 11. > "At this point in the negotiation, each party can generate SKEYSEED, > from which all keys are derived for that IKE SA." > > Term SKEYSEED pops up from nowhere. No reference is gived and > even no word is explained what is it all about. First-time readers will > definitely be puzzled. I suggest to change: > > "At this point in the negotiation, each party can generate a quantity > called SKEYSEED (see section 2.14), from which all keys are derived > for that IKE SA." > > 5. Page 14, 15 and 16 > "The responder replies (using the same Message ID to respond) with the > accepted offer in an SA payload, and a Diffie-Hellman value in the > KEr payload if KEi was included in the request and the selected > cryptographic suite includes that group." > > "The responder replies (using the same Message ID to respond) with the > accepted offer in an SA payload, and a Diffie-Hellman value in the > KEr payload if the selected cryptographic suite includes that group." > > "The responder replies (using the same Message ID to respond) with the > accepted offer in an SA payload, and a Diffie-Hellman value in the > KEr payload if KEi was included in the request and the selected > cryptographic suite includes that group." > > All three sentencies look like they were copy-pasted and all three > lacks mention Nonce Payload. I think it should be explicitely > mentioned here, as it was mentioned in descriptions of Initiator's message, > above each of this sentencies. > > And I also think that words in parentheses here are superfluous, > as this requirement is comon for all exchanges, not only for > CREATE_CHILD_SA, > and stated several times in the document. So, I suggest to change: > > "The responder replies with the accepted offer in an SA payload, > nonce in the Nr payload and a Diffie-Hellman value in the > KEr payload if KEi was included in the request and the selected > cryptographic suite includes that group." > > "The responder replies with the accepted offer in an SA payload, > nonce in the Nr payload and a Diffie-Hellman value in the > KEr payload if the selected cryptographic suite includes that group." > > "The responder replies with the accepted offer in an SA payload, > nonce in the Nr payload and a Diffie-Hellman value in the > KEr payload if KEi was included in the request and the selected > cryptographic suite includes that group." > > 6. Page 19. > "The recipient of this notification cannot tell > whether the SPI is for AH or ESP, but this is not important because > the SPIs are supposed to be different for the two." > > Why "is supposed to be different"? RFC4301 clearly states: > "For a unicast SA, the SPI can be used by itself to specify an SA, > or it may be > used in conjunction with the IPsec protocol type." > > So I suggest to change as follows: > > "The recipient of this notification cannot tell > whether the SPI is for AH or ESP, but this is not important because > in many cases the SPIs will be different for the two." > > And some words should be added for the case when SPIs are not > different for AH and ESP. I have no good suggestion here. > > 7. Page 31. > Phrase "(see Section 2.6)" actually references the same section. It > should either > be removed or corrected. > > 8. Page 31. > "However, if the responder sends a non-zero > responder SPI, the initiator should not reject the response for only > that reason." > > Should here "should not" be "SHOULD NOT"? > > 9. Page 49. > "There are two types of EAP authentication (described in > Section 2.16), and each type uses different values in the AUTH > computations shown above. If the EAP method is key-generating, > substitute master session key (MSK) for the shared secret in the > computation. For non-key-generating methods, substitute SK_pi and > SK_pr, respectively, for the shared secret in the two AUTH > computations." > > Isn't this para superfluous here? Its content belongs to EAP authentication > and in fact it is described in more details two pages below. > > 10. Page 51. > "As described in Section 2.2, when EAP is used, each pair of IKE SA > initial setup messages will have their message numbers incremented; > the first pair of AUTH messages will have an ID of 1, the second will > be 2, and so on." > > Should be: > > "As described in Section 2.2, when EAP is used, each pair of IKE SA > initial setup messages will have their message numbers incremented; > the first pair of IKE_AUTH messages will have an ID of 1, the second > will > be 2, and so on." > > 11. Page 52: > "A single CHILD_SA negotiation may result in multiple Security > Associations." > > Should be: > > "A single CREATE_CHILD_SA negotiation may result in multiple Security > Associations." > > > > That's all for now. > Valery. > > > > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Updated version of RFC5996bis Tero Kivinen
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Yaron Sheffer
- Re: [IPsec] Updated version of RFC5996bis Yoav Nir
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Tero Kivinen
- [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Yoav Nir
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- [IPsec] One more editorial issue in RFC5996 Valery Smyslov
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Valery Smyslov
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 3.… Tero Kivinen
- [IPsec] RFC5996bis section 3.1 comment Paul Wouters
- [IPsec] RFC5996bis section 3.1 comment Tero Kivinen