IETF Logo Mail Archive

[IPsec] Editorial changes to RFC5996

"Valery Smyslov" <svanru@gmail.com> Fri, 18 October 2013 13:52 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E5011E81C4 for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 06:52:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vnK2UJg5Epc for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 06:52:53 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8D311E822A for <ipsec@ietf.org>; Fri, 18 Oct 2013 06:52:49 -0700 (PDT)
Received: by mail-lb0-f173.google.com with SMTP id o14so3156459lbi.18 for <ipsec@ietf.org>; Fri, 18 Oct 2013 06:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=T4huQFOCnMudIn3XSO8Ehr12Os06vn6I6ujhgnl3tD0=; b=OhWeUmP5u4XTaEeZLjdyKQsFx2bWrMvDegdlZ6PiKOAnljvrY4/25JvEPZuptedmHs PS/ddovTlWvR+WwPwpcLshawWVNqyKPDPJHWL8cL3Ld6MfxIayHiKP/etaDjjHsM3NBx sDnai1tIswhy92GKWVobVCvEy/oyFCWOLKvYQfmTETr8hHFcTBJS2GR2X1EU9teUWqdr P6ThAGqZqf7mkzyyOiR85LsCyrLo/A78vwe1XtxI2MJWrd5TWP1+MvHSSWVzRZAuSlgF ysrDNM4XTqxvy4p9gOGZVUJ8iX/Xd0RWAWXgeFO3GnT6//VNEX4HPASp+jV7AFW0Q02p U0eA==
X-Received: by 10.152.4.38 with SMTP id h6mr2673238lah.12.1382104368879; Fri, 18 Oct 2013 06:52:48 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id ao4sm1701799lac.1.2013.10.18.06.52.45 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 18 Oct 2013 06:52:48 -0700 (PDT)
Message-ID: <7C1EFED8998C4309B562F2224DD39AA2@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
References: <21087.60447.758422.672867@fireball.kivinen.iki.fi>
Date: Fri, 18 Oct 2013 17:52:42 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: [IPsec] Editorial changes to RFC5996
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 13:52:54 -0000

Hi all,

as RFC5996 is revised, I suggest to make some editorial changes
to improve its clarity and to fix some small issues that I found.

1. Section 1.6 Requirements Terminology is placed far from the begining
    of the document and all the requirements words, along with terms
    from RFC4301 etc. are used before they are formally introduced.
    I don't think it is appropriate for standards track document.
    I suggest to move this section before Introduction.

2. Page 5:
   "IKEv2 was a change to the IKE protocol that was not backward
   compatible.  In contrast, the current document not only provides a
   clarification of IKEv2, but makes minimum changes to the IKE
   protocol."

For me this piece sounds strange. I think it should look like:

   "IKEv2 was a change to the IKE protocol that was not backward
   compatible.  In contrast, the current document only provides a
   clarification of IKEv2, and makes minimum changes to the IKEv2
   protocol."

3. Page 10.
   "HDR contains the Security Parameter Indexes (SPIs), version numbers,
   and flags of various sorts."

Not mentioned Message ID, Exchange Type (and Next Payload and length,
but they are not very important here). I suggest to change:

   "HDR contains the Security Parameter Indexes (SPIs), version numbers,
   Type of Exchange, Message ID and flags of various sorts."

4. Page 11.
   "At this point in the negotiation, each party can generate SKEYSEED,
   from which all keys are derived for that IKE SA."

Term SKEYSEED pops up from nowhere. No reference is gived and
even no word is explained what is it all about. First-time readers will
definitely be puzzled. I suggest to change:

   "At this point in the negotiation, each party can generate a quantity
    called SKEYSEED (see section 2.14), from which all keys are derived
    for that IKE SA."

5. Page 14, 15 and 16
   "The responder replies (using the same Message ID to respond) with the
   accepted offer in an SA payload, and a Diffie-Hellman value in the
   KEr payload if KEi was included in the request and the selected
   cryptographic suite includes that group."

   "The responder replies (using the same Message ID to respond) with the
   accepted offer in an SA payload, and a Diffie-Hellman value in the
   KEr payload if the selected cryptographic suite includes that group."

   "The responder replies (using the same Message ID to respond) with the
   accepted offer in an SA payload, and a Diffie-Hellman value in the
   KEr payload if KEi was included in the request and the selected
   cryptographic suite includes that group."

All three sentencies look like they were copy-pasted and all three
lacks mention Nonce Payload. I think it should be explicitely
mentioned here, as it was mentioned in descriptions of Initiator's message,
above each of this sentencies.

And I also think that words in parentheses here are superfluous,
as this requirement is comon for all exchanges, not only for 
CREATE_CHILD_SA,
and stated several times in the document. So, I suggest to change:

   "The responder replies with the accepted offer in an SA payload,
    nonce in the Nr payload and a Diffie-Hellman value in the
   KEr payload if KEi was included in the request and the selected
   cryptographic suite includes that group."

   "The responder replies with the accepted offer in an SA payload,
    nonce in the Nr payload and a Diffie-Hellman value in the
   KEr payload if the selected cryptographic suite includes that group."

   "The responder replies with the accepted offer in an SA payload,
    nonce in the Nr payload and a Diffie-Hellman value in the
   KEr payload if KEi was included in the request and the selected
   cryptographic suite includes that group."

6. Page 19.
    "The recipient of this notification cannot tell
   whether the SPI is for AH or ESP, but this is not important because
   the SPIs are supposed to be different for the two."

Why "is supposed to be different"? RFC4301 clearly states:
    "For a unicast SA, the SPI can be used by itself to specify an SA, or it 
may be
      used in conjunction with the IPsec protocol type."

So I suggest to change as follows:

    "The recipient of this notification cannot tell
   whether the SPI is for AH or ESP, but this is not important because
    in many cases the SPIs will be different for the two."

And some words should be added for the case when SPIs are not
different for AH and ESP. I have no good suggestion here.

7. Page 31.
Phrase "(see Section 2.6)" actually references the same section. It should 
either
be removed or corrected.

8. Page 31.
    "However, if the responder sends a non-zero
   responder SPI, the initiator should not reject the response for only
   that reason."

Should here "should not" be "SHOULD NOT"?

9. Page 49.
    "There are two types of EAP authentication (described in
   Section 2.16), and each type uses different values in the AUTH
   computations shown above.  If the EAP method is key-generating,
   substitute master session key (MSK) for the shared secret in the
   computation.  For non-key-generating methods, substitute SK_pi and
   SK_pr, respectively, for the shared secret in the two AUTH
   computations."

Isn't this para superfluous here? Its content belongs to EAP authentication
and in fact it is described in more details two pages below.

10. Page 51.
    "As described in Section 2.2, when EAP is used, each pair of IKE SA
   initial setup messages will have their message numbers incremented;
   the first pair of AUTH messages will have an ID of 1, the second will
   be 2, and so on."

Should be:

    "As described in Section 2.2, when EAP is used, each pair of IKE SA
   initial setup messages will have their message numbers incremented;
   the first pair of IKE_AUTH messages will have an ID of 1, the second will
   be 2, and so on."

11. Page 52:
    "A single CHILD_SA negotiation may result in multiple Security
   Associations."

Should be:

   "A single CREATE_CHILD_SA negotiation may result in multiple Security
   Associations."



That's all for now.
Valery.

v2.23.0 | Report a Bug | By Email