Re: [IPsec] CORRECTION: One last review: draft-ietf-ipsecme-ikev2bis
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 14 April 2010 16:48 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA9EC28C288 for <ipsec@core3.amsl.com>; Wed, 14 Apr 2010 09:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.848
X-Spam-Level:
X-Spam-Status: No, score=-5.848 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhAk+O+UBq6S for <ipsec@core3.amsl.com>; Wed, 14 Apr 2010 09:48:25 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 2FF6528C2A9 for <ipsec@ietf.org>; Wed, 14 Apr 2010 09:48:24 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o3EGmGAs095627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Apr 2010 09:48:17 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624082ac7eb9d224b06@[10.20.30.158]>
In-Reply-To: <19397.53299.236897.928822@fireball.kivinen.iki.fi>
References: <p06240847c7e412516686@[10.20.30.158]> <p0624084cc7e42fb449b0@[10.20.30.158]> <19397.53299.236897.928822@fireball.kivinen.iki.fi>
Date: Wed, 14 Apr 2010 09:48:14 -0700
To: Tero Kivinen <kivinen@iki.fi>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] CORRECTION: One last review: draft-ietf-ipsecme-ikev2bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2010 16:48:25 -0000
At 5:24 PM +0300 4/14/10, Tero Kivinen wrote: >In the section 1.2 the text > > The recipients of messages 3 and 4 MUST verify that all signatures > and MACs are computed correctly. > >was changed to > > Both parties in the IKE_SA_INIT exchange MUST verify that all > signatures and MACs are computed correctly. > >which is wrong, as IKE_SA_INIT is messages 1 and 2, IKE_AUTH is the >messages 3 and 4. IKE_SA_INIT messages do not have signatures or MACs. Good catch: fixed in -10. >---------------------------------------------------------------------- >In the section 2.23 the following text was removed: > >"UDP encapsulation MUST NOT be done on port 500." > >I think that text should still be there. Agree. > >Also you removed mandatory requirement for listening port 4500 if >NAT-T is supported. So I would add the first bullet back. I do not >understand why it this was removed: > > o IKE MUST listen on port 4500 as well as port 500. IKE MUST > respond to the IP address and port from which packets arrived. > >Yes, the last part is explained multiple time, but it is especially >important for NAT-T case, which makes it worth of repeating in this >requirement list. This was removed because it appears in a list that is preceded with "In this section only, requirements listed as MUST apply only to implementations supporting NAT traversal." As you say, it also applies even if NAT traversal is not supported. >---------------------------------------------------------------------- >In section 2.25 there is typo: > >s/REYEY_SA/REKEY_SA/ Done. >---------------------------------------------------------------------- >In section 3.3.1 the -09 version says: > >"the SPI is obtained from the outer IP header." > >which is completely wrong. IP header does not have SPI field, the IKE >header has SPI field. Remove the offending "IP" which was added in >last version. Done. --Paul Hoffman, Director --VPN Consortium
- [IPsec] One last review: draft-ietf-ipsecme-aes-c… Paul Hoffman
- [IPsec] CORRECTION: One last review: draft-ietf-i… Paul Hoffman
- Re: [IPsec] CORRECTION: One last review: draft-ie… Sean Turner
- Re: [IPsec] CORRECTION: One last review: draft-ie… Paul Hoffman
- [IPsec] CORRECTION: One last review: draft-ietf-i… Tero Kivinen
- Re: [IPsec] CORRECTION: One last review: draft-ie… Paul Hoffman