Re: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03

Yoav Nir <ynir@checkpoint.com> Mon, 24 August 2009 05:46 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DF3B3A6A77 for <ipsec@core3.amsl.com>; Sun, 23 Aug 2009 22:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Level:
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id baBOWY4WkQtE for <ipsec@core3.amsl.com>; Sun, 23 Aug 2009 22:46:29 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id DC05A3A69B7 for <ipsec@ietf.org>; Sun, 23 Aug 2009 22:46:28 -0700 (PDT)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 61B4929C004; Mon, 24 Aug 2009 08:46:57 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 19DEA200E09; Mon, 24 Aug 2009 08:46:57 +0300 (IDT)
X-CheckPoint: {4A922818-0-14201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n7O5kW3d023641; Mon, 24 Aug 2009 08:46:33 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([194.29.32.26]) with mapi; Mon, 24 Aug 2009 08:46:31 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: 'Paul Hoffman' <paul.hoffman@vpnc.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Mon, 24 Aug 2009 08:46:31 +0300
Thread-Topic: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03
Thread-Index: Acog95DbWU1cAon8T06+5rpCtAeG/gDhFZ9g
Message-ID: <006FEB08D9C6444AB014105C9AEB133F906D312AD8@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594E4@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120A80B@il-ex01.ad.checkpoint.com> <p0624082ac6b1edf08aca@[10.20.30.158]>
In-Reply-To: <p0624082ac6b1edf08aca@[10.20.30.158]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-roadmap-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2009 05:46:30 -0000

Sorry for the delay.

I believe the draft is in good shape, but I do have some comments.

1. ESN is mentioned as optional for IKEv1 and included in IKEv2. It is not mentioned that this is an optional feature for IPsec (both old and new)

2. Section 4.2.1 describes RFC 4478 (authentication lifetime). It says "This document defines a new informational message that...". Instead it should say "This document defines a new status notification, that...". Also, after "unless the initiator re-authenticates" I would add "within a specified period of time".

3. Section 5.6 describes cryptographic suites documents (RFC 4308 and 4869), including the algorithms these documents specify (encryption, data integrity and DH group). It does not mention the not-so-obvious fact that RFC 4869 also requires the use of ECDSA for public keys used for authentication (if public keys are used), whereas 4308 makes no such requirement.

4. Section 8.7 describes RoHC RFCs that relate to IPsec. I think it should also mention the soon-to-be-published drafts about compressing IPsec traffic:
 - draft-ietf-rohc-ipsec-extensions-hcoipsec
 - draft-ietf-rohc-ikev2-extensions-hcoipsec
 - draft-ietf-rohc-hcoipsec


In addition to these, a few nits:

1. The document capitalizes the name of the WG as IPsecme. I think we like using IPsecME, no?

2. The descriptions of RFC 3947 and RFC 3948 are oddly placed. Both are in section 3 (IPsec) although 3947 is about IKE, and yet they are separated rather than following one another. I think that either 3947 should be moved to section 4 (IKE) or that they should be moved together.

3. RFCs 3947 and 4304 (ESN) are in section 3 (IPsec) but are more appropriate for section 4 (IKE)

4. Section 4.2.3 describes dead peer detection. It should mention that RFC 4306 (and the bis) call this feature "liveness check".





Email secured by Check Point