Re: [IPsec] Editorial changes to RFC5996
"Valery Smyslov" <svanru@gmail.com> Fri, 18 October 2013 14:24 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B9211E82C4 for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 07:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rHNtYs2Alqbx for <ipsec@ietfa.amsl.com>; Fri, 18 Oct 2013 07:24:29 -0700 (PDT)
Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id BDA6011E82B3 for <ipsec@ietf.org>; Fri, 18 Oct 2013 07:24:27 -0700 (PDT)
Received: by mail-la0-f53.google.com with SMTP id eo20so664711lab.12 for <ipsec@ietf.org>; Fri, 18 Oct 2013 07:24:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=BYdNX+mVchVJVVLm6PgN8egLlco/1Su2t6TCTqdv5R8=; b=iIv2jArm5d99Wrko0YhUs0RMAdFprkFjfUiYEcSQ9CrN/4/JfwZsD7eUNpfgDW8ViL vFx/FpA4QyEwt3G3sPXDrsyAIE+EfNLDwnmddBBl9+i8tUPbixeNpJd2hI9IxKV0qV/z 1IMvCEhqFQ0aFA2FkX25Xn2JKyEbYcNHRPHfnF6eYkIc0ghX9xNBLputp4mCCZMDpJbz e7KCsX/1S1xfK5AhACYf/Db1yYsLuEWagsbCuDiJxW/1JOoqr5aVV4e7jUBAaSpXL+r/ /oW3NXFIqNyvhg08xnIM0lDz5pBrfPm83rQ+00EMfLhjK3sTv2HmPp3lOM4PLdIp0lPW juKg==
X-Received: by 10.152.23.137 with SMTP id m9mr2695191laf.17.1382106266651; Fri, 18 Oct 2013 07:24:26 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id ua4sm2050645lbb.17.2013.10.18.07.24.25 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 18 Oct 2013 07:24:25 -0700 (PDT)
Message-ID: <3AAB8F2857A0484D9CE7DF44871E7D02@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
References: <21087.60447.758422.672867@fireball.kivinen.iki.fi> <7C1EFED8998C4309B562F2224DD39AA2@buildpc> <526141A0.5030206@gmail.com>
Date: Fri, 18 Oct 2013 18:24:24 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Editorial changes to RFC5996
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 14:24:30 -0000
Hi Yaron, > Hi Valery, > > Sorry for being the Bad Guy on this. Your #6 does not seem editorial to I think that current text is not aligned with RFC4301. We may leave it as is or try to find other form that would not appear so misaligned. > me. Similarly, #8 (adding new RFC 2119 language) is not editorial. I would > suggest to implement #6 only if it is critical to interoperability or > security, and to forgo #8. What about #8 - it's just a question from me. From my feeling it must be uppercase, but I might be wrong. We may leave it as is. > By the way, your correction #2 still does not do it IMHO. The sentence > refers to RFC 5996. So: > > "IKEv2 as stated in RFC 4306 was a change to the IKE protocol that was not > backward compatible. RFC 5996 revised RFC 4306 to provide a clarification > of IKEv2, making minimum changes to the IKEv2 protocol. The current > document slightly revises RFC 5996 to make it suitable for progression to > Internet Standard." Yes, your text is for RFC5996bis, while I made my notes a while ago and the text was for RFC5996. Of course your variant is better. Valery. > Thanks, > Yaron > > On 2013-10-18 16:52, Valery Smyslov wrote: >> Hi all, >> >> as RFC5996 is revised, I suggest to make some editorial changes >> to improve its clarity and to fix some small issues that I found. >> >> 1. Section 1.6 Requirements Terminology is placed far from the begining >> of the document and all the requirements words, along with terms >> from RFC4301 etc. are used before they are formally introduced. >> I don't think it is appropriate for standards track document. >> I suggest to move this section before Introduction. >> >> 2. Page 5: >> "IKEv2 was a change to the IKE protocol that was not backward >> compatible. In contrast, the current document not only provides a >> clarification of IKEv2, but makes minimum changes to the IKE >> protocol." >> >> For me this piece sounds strange. I think it should look like: >> >> "IKEv2 was a change to the IKE protocol that was not backward >> compatible. In contrast, the current document only provides a >> clarification of IKEv2, and makes minimum changes to the IKEv2 >> protocol." >> >> 3. Page 10. >> "HDR contains the Security Parameter Indexes (SPIs), version numbers, >> and flags of various sorts." >> >> Not mentioned Message ID, Exchange Type (and Next Payload and length, >> but they are not very important here). I suggest to change: >> >> "HDR contains the Security Parameter Indexes (SPIs), version numbers, >> Type of Exchange, Message ID and flags of various sorts." >> >> 4. Page 11. >> "At this point in the negotiation, each party can generate SKEYSEED, >> from which all keys are derived for that IKE SA." >> >> Term SKEYSEED pops up from nowhere. No reference is gived and >> even no word is explained what is it all about. First-time readers will >> definitely be puzzled. I suggest to change: >> >> "At this point in the negotiation, each party can generate a quantity >> called SKEYSEED (see section 2.14), from which all keys are derived >> for that IKE SA." >> >> 5. Page 14, 15 and 16 >> "The responder replies (using the same Message ID to respond) with the >> accepted offer in an SA payload, and a Diffie-Hellman value in the >> KEr payload if KEi was included in the request and the selected >> cryptographic suite includes that group." >> >> "The responder replies (using the same Message ID to respond) with the >> accepted offer in an SA payload, and a Diffie-Hellman value in the >> KEr payload if the selected cryptographic suite includes that group." >> >> "The responder replies (using the same Message ID to respond) with the >> accepted offer in an SA payload, and a Diffie-Hellman value in the >> KEr payload if KEi was included in the request and the selected >> cryptographic suite includes that group." >> >> All three sentencies look like they were copy-pasted and all three >> lacks mention Nonce Payload. I think it should be explicitely >> mentioned here, as it was mentioned in descriptions of Initiator's >> message, >> above each of this sentencies. >> >> And I also think that words in parentheses here are superfluous, >> as this requirement is comon for all exchanges, not only for >> CREATE_CHILD_SA, >> and stated several times in the document. So, I suggest to change: >> >> "The responder replies with the accepted offer in an SA payload, >> nonce in the Nr payload and a Diffie-Hellman value in the >> KEr payload if KEi was included in the request and the selected >> cryptographic suite includes that group." >> >> "The responder replies with the accepted offer in an SA payload, >> nonce in the Nr payload and a Diffie-Hellman value in the >> KEr payload if the selected cryptographic suite includes that group." >> >> "The responder replies with the accepted offer in an SA payload, >> nonce in the Nr payload and a Diffie-Hellman value in the >> KEr payload if KEi was included in the request and the selected >> cryptographic suite includes that group." >> >> 6. Page 19. >> "The recipient of this notification cannot tell >> whether the SPI is for AH or ESP, but this is not important because >> the SPIs are supposed to be different for the two." >> >> Why "is supposed to be different"? RFC4301 clearly states: >> "For a unicast SA, the SPI can be used by itself to specify an SA, >> or it may be >> used in conjunction with the IPsec protocol type." >> >> So I suggest to change as follows: >> >> "The recipient of this notification cannot tell >> whether the SPI is for AH or ESP, but this is not important because >> in many cases the SPIs will be different for the two." >> >> And some words should be added for the case when SPIs are not >> different for AH and ESP. I have no good suggestion here. >> >> 7. Page 31. >> Phrase "(see Section 2.6)" actually references the same section. It >> should either >> be removed or corrected. >> >> 8. Page 31. >> "However, if the responder sends a non-zero >> responder SPI, the initiator should not reject the response for only >> that reason." >> >> Should here "should not" be "SHOULD NOT"? >> >> 9. Page 49. >> "There are two types of EAP authentication (described in >> Section 2.16), and each type uses different values in the AUTH >> computations shown above. If the EAP method is key-generating, >> substitute master session key (MSK) for the shared secret in the >> computation. For non-key-generating methods, substitute SK_pi and >> SK_pr, respectively, for the shared secret in the two AUTH >> computations." >> >> Isn't this para superfluous here? Its content belongs to EAP >> authentication >> and in fact it is described in more details two pages below. >> >> 10. Page 51. >> "As described in Section 2.2, when EAP is used, each pair of IKE SA >> initial setup messages will have their message numbers incremented; >> the first pair of AUTH messages will have an ID of 1, the second will >> be 2, and so on." >> >> Should be: >> >> "As described in Section 2.2, when EAP is used, each pair of IKE SA >> initial setup messages will have their message numbers incremented; >> the first pair of IKE_AUTH messages will have an ID of 1, the second >> will >> be 2, and so on." >> >> 11. Page 52: >> "A single CHILD_SA negotiation may result in multiple Security >> Associations." >> >> Should be: >> >> "A single CREATE_CHILD_SA negotiation may result in multiple Security >> Associations." >> >> >> >> That's all for now. >> Valery. >> >> >> >> >> >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Updated version of RFC5996bis Tero Kivinen
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Yaron Sheffer
- Re: [IPsec] Updated version of RFC5996bis Yoav Nir
- Re: [IPsec] Updated version of RFC5996bis Paul Wouters
- Re: [IPsec] Updated version of RFC5996bis Tero Kivinen
- [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Yoav Nir
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- Re: [IPsec] Editorial changes to RFC5996 Valery Smyslov
- Re: [IPsec] Editorial changes to RFC5996 Yaron Sheffer
- [IPsec] One more editorial issue in RFC5996 Valery Smyslov
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- Re: [IPsec] RFC5996bis editorial change in sectio… Valery Smyslov
- Re: [IPsec] RFC5996bis editorial change in sectio… Yaron Sheffer
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 1.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 2.… Tero Kivinen
- [IPsec] RFC5996bis editorial change in section 3.… Tero Kivinen
- [IPsec] RFC5996bis section 3.1 comment Paul Wouters
- [IPsec] RFC5996bis section 3.1 comment Tero Kivinen