[IPsec] AD review of draft-ietf-ipsecme-esp-null-heuristics-03
<Pasi.Eronen@nokia.com> Wed, 27 January 2010 11:38 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFD393A68FC for <ipsec@core3.amsl.com>; Wed, 27 Jan 2010 03:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.055
X-Spam-Level:
X-Spam-Status: No, score=-6.055 tagged_above=-999 required=5 tests=[AWL=0.544, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzVQFN9-j6ys for <ipsec@core3.amsl.com>; Wed, 27 Jan 2010 03:38:21 -0800 (PST)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id D1F8A3A67F5 for <ipsec@ietf.org>; Wed, 27 Jan 2010 03:38:20 -0800 (PST)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o0RBcIVt004310 for <ipsec@ietf.org>; Wed, 27 Jan 2010 13:38:29 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 27 Jan 2010 13:37:45 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 27 Jan 2010 13:37:45 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Wed, 27 Jan 2010 12:37:38 +0100
From: Pasi.Eronen@nokia.com
To: ipsec@ietf.org
Date: Wed, 27 Jan 2010 12:37:38 +0100
Thread-Topic: AD review of draft-ietf-ipsecme-esp-null-heuristics-03
Thread-Index: AcqfRSC6xkpClHZlQnCjr9Nl/jw+1g==
Message-ID: <808FD6E27AD4884E94820BC333B2DB7758411DDBBD@NOK-EUMSG-01.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 27 Jan 2010 11:37:45.0879 (UTC) FILETIME=[252DAA70:01CA9F45]
X-Nokia-AV: Clean
Subject: [IPsec] AD review of draft-ietf-ipsecme-esp-null-heuristics-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2010 11:38:22 -0000
I've now done my AD review for the heuristics draft. Mostly the draft looks good, and all my comments are relatively minor. Least-minor first: - Appendix A.1: The pseudocode has couple of places where it says "Drop invalid packet"; it seems these are wrong when the packet is UDP encapsulated (this could still be perfectly valid UDP traffic, just something else than ESP). - Section 8.1: AUTH_HMAC_MD5_128 and AUTH_HMAC_SHA1_160 are not defined for IPsec ESP; these algorithms apply only to the FiberChannel security protocols. So they should be removed from this list (and since this was the only algorithm with 160-bit ICV, handling that case can be removed). - Section 8.1: AUTH_AES_128/192/256_GMAC cannot be used in ESP, only in AH; for ESP, the relevant algorithm is ENCR_NULL_AUTH_AES_GMAC. - Appendix A.1: shouldn't we also have tests for WESP here? "If IP protocol is WESP, process as described in [traffic-visibility]" "If first 4 bytes of UDP packet are 0x00000002, process as.. " (the details of WESP don't belong there, though, and a pointer would be quite sufficient IMHO) - Appendix A.2, "Verify TCP": the bits that are currently reserved might get allocated in the future (and half of the bits that were reserved in RFC 793 have been since allocated -- so it's not very clear exactly what "TCP.reserved_bits" means). - The document doesn't cover RSA authentication in ESP (RFC 4359). I guess this isn't really very relevant for environments where the heuristics might be used, so perhaps a sentence saying this is beyond the scope of this document would be sufficient. - Section 2.1, suggesting that AH might have more bugs doesn't sound like an argument that belongs in this document. - Section 2.3: the discussion about IPv6 and NATs does not belong in this document. - Section 3, 2nd para: "state of the flows" -> "... IPsec flows" Best regards, Pasi
- [IPsec] AD review of draft-ietf-ipsecme-esp-null-… Pasi.Eronen
- [IPsec] AD review of draft-ietf-ipsecme-esp-null-… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-esp-n… Pasi.Eronen@nokia.com
- Re: [IPsec] AD review of draft-ietf-ipsecme-esp-n… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-esp-n… Pasi.Eronen
- Re: [IPsec] AD review of draft-ietf-ipsecme-esp-n… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-esp-n… Pasi.Eronen