[IPsec] Editorial changes to RFC5996
"Valery Smyslov" <svanru@gmail.com> Fri, 18 October 2013 13:52 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E5011E81C4 for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 06:52:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vnK2UJg5Epc for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 06:52:53 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8D311E822A for <ipsec@ietf.org>; Fri, 18 Oct 2013 06:52:49 -0700 (PDT)
Received: by mail-lb0-f173.google.com with SMTP id o14so3156459lbi.18 for <ipsec@ietf.org>; Fri, 18 Oct 2013 06:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=T4huQFOCnMudIn3XSO8Ehr12Os06vn6I6ujhgnl3tD0=; b=OhWeUmP5u4XTaEeZLjdyKQsFx2bWrMvDegdlZ6PiKOAnljvrY4/25JvEPZuptedmHs PS/ddovTlWvR+WwPwpcLshawWVNqyKPDPJHWL8cL3Ld6MfxIayHiKP/etaDjjHsM3NBx sDnai1tIswhy92GKWVobVCvEy/oyFCWOLKvYQfmTETr8hHFcTBJS2GR2X1EU9teUWqdr P6ThAGqZqf7mkzyyOiR85LsCyrLo/A78vwe1XtxI2MJWrd5TWP1+MvHSSWVzRZAuSlgF ysrDNM4XTqxvy4p9gOGZVUJ8iX/Xd0RWAWXgeFO3GnT6//VNEX4HPASp+jV7AFW0Q02p U0eA==
X-Received: by 10.152.4.38 with SMTP id h6mr2673238lah.12.1382104368879; Fri, 18 Oct 2013 06:52:48 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id ao4sm1701799lac.1.2013.10.18.06.52.45 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 18 Oct 2013 06:52:48 -0700 (PDT)
Message-ID: <7C1EFED8998C4309B562F2224DD39AA2@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
References: <21087.60447.758422.672867@fireball.kivinen.iki.fi>
Date: Fri, 18 Oct 2013 17:52:42 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: [IPsec] Editorial changes to RFC5996
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 13:52:54 -0000
Hi all, as RFC5996 is revised, I suggest to make some editorial changes to improve its clarity and to fix some small issues that I found. 1. Section 1.6 Requirements Terminology is placed far from the begining of the document and all the requirements words, along with terms from RFC4301 etc. are used before they are formally introduced. I don't think it is appropriate for standards track document. I suggest to move this section before Introduction. 2. Page 5: "IKEv2 was a change to the IKE protocol that was not backward compatible. In contrast, the current document not only provides a clarification of IKEv2, but makes minimum changes to the IKE protocol." For me this piece sounds strange. I think it should look like: "IKEv2 was a change to the IKE protocol that was not backward compatible. In contrast, the current document only provides a clarification of IKEv2, and makes minimum changes to the IKEv2 protocol." 3. Page 10. "HDR contains the Security Parameter Indexes (SPIs), version numbers, and flags of various sorts." Not mentioned Message ID, Exchange Type (and Next Payload and length, but they are not very important here). I suggest to change: "HDR contains the Security Parameter Indexes (SPIs), version numbers, Type of Exchange, Message ID and flags of various sorts." 4. Page 11. "At this point in the negotiation, each party can generate SKEYSEED, from which all keys are derived for that IKE SA." Term SKEYSEED pops up from nowhere. No reference is gived and even no word is explained what is it all about. First-time readers will definitely be puzzled. I suggest to change: "At this point in the negotiation, each party can generate a quantity called SKEYSEED (see section 2.14), from which all keys are derived for that IKE SA." 5. Page 14, 15 and 16 "The responder replies (using the same Message ID to respond) with the accepted offer in an SA payload, and a Diffie-Hellman value in the KEr payload if KEi was included in the request and the selected cryptographic suite includes that group." "The responder replies (using the same Message ID to respond) with the accepted offer in an SA payload, and a Diffie-Hellman value in the KEr payload if the selected cryptographic suite includes that group." "The responder replies (using the same Message ID to respond) with the accepted offer in an SA payload, and a Diffie-Hellman value in the KEr payload if KEi was included in the request and the selected cryptographic suite includes that group." All three sentencies look like they were copy-pasted and all three lacks mention Nonce Payload. I think it should be explicitely mentioned here, as it was mentioned in descriptions of Initiator's message, above each of this sentencies. And I also think that words in parentheses here are superfluous, as this requirement is comon for all exchanges, not only for CREATE_CHILD_SA, and stated several times in the document. So, I suggest to change: "The responder replies with the accepted offer in an SA payload, nonce in the Nr payload and a Diffie-Hellman value in the KEr payload if KEi was included in the request and the selected cryptographic suite includes that group." "The responder replies with the accepted offer in an SA payload, nonce in the Nr payload and a Diffie-Hellman value in the KEr payload if the selected cryptographic suite includes that group." "The responder replies with the accepted offer in an SA payload, nonce in the Nr payload and a Diffie-Hellman value in the KEr payload if KEi was included in the request and the selected cryptographic suite includes that group." 6. Page 19. "The recipient of this notification cannot tell whether the SPI is for AH or ESP, but this is not important because the SPIs are supposed to be different for the two." Why "is supposed to be different"? RFC4301 clearly states: "For a unicast SA, the SPI can be used by itself to specify an SA, or it may be used in conjunction with the IPsec protocol type." So I suggest to change as follows: "The recipient of this notification cannot tell whether the SPI is for AH or ESP, but this is not important because in many cases the SPIs will be different for the two." And some words should be added for the case when SPIs are not different for AH and ESP. I have no good suggestion here. 7. Page 31. Phrase "(see Section 2.6)" actually references the same section. It should either be removed or corrected. 8. Page 31. "However, if the responder sends a non-zero responder SPI, the initiator should not reject the response for only that reason." Should here "should not" be "SHOULD NOT"? 9. Page 49. "There are two types of EAP authentication (described in Section 2.16), and each type uses different values in the AUTH computations shown above. If the EAP method is key-generating, substitute master session key (MSK) for the shared secret in the computation. For non-key-generating methods, substitute SK_pi and SK_pr, respectively, for the shared secret in the two AUTH computations." Isn't this para superfluous here? Its content belongs to EAP authentication and in fact it is described in more details two pages below. 10. Page 51. "As described in Section 2.2, when EAP is used, each pair of IKE SA initial setup messages will have their message numbers incremented; the first pair of AUTH messages will have an ID of 1, the second will be 2, and so on." Should be: "As described in Section 2.2, when EAP is used, each pair of IKE SA initial setup messages will have their message numbers incremented; the first pair of IKE_AUTH messages will have an ID of 1, the second will be 2, and so on." 11. Page 52: "A single CHILD_SA negotiation may result in multiple Security Associations." Should be: "A single CREATE_CHILD_SA negotiation may result in multiple Security Associations." That's all for now. Valery.
- [IPsec] Updated version of RFC5996bis Tero Kivinen
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Yaron Sheffer
- Re: [IPsec] Updated version of RFC5996bis Yoav Nir
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Tero Kivinen
- [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Yoav Nir
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- [IPsec] One more editorial issue in RFC5996 Valery Smyslov
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Valery Smyslov
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 3.… Tero Kivinen
- [IPsec] RFC5996bis section 3.1 comment Paul Wouters
- [IPsec] RFC5996bis section 3.1 comment Tero Kivinen