[IPsec] More nits in draft-kivinen-ipsecme-ikev2-rfc5996bis-04
Tero Kivinen <kivinen@iki.fi> Tue, 23 September 2014 13:53 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EDBD1A1AC8 for <ipsec@ietfa.amsl.com>; Tue, 23 Sep 2014 06:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vVPFYkGD8a6 for <ipsec@ietfa.amsl.com>; Tue, 23 Sep 2014 06:53:47 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E1D1A797C for <ipsec@ietf.org>; Tue, 23 Sep 2014 06:53:46 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s8NDrhm7015173 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 23 Sep 2014 16:53:43 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s8NDrhid005497; Tue, 23 Sep 2014 16:53:43 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21537.31591.465157.509866@fireball.kivinen.iki.fi>
Date: Tue, 23 Sep 2014 16:53:43 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <8139F5C1D4ED4E2181D40A58434ACE3A@buildpc>
References: <F68C660364DABE41AF4617F517EF548411707BE2@ESESSMB309.ericsson.se> <21493.55390.157248.181030@fireball.kivinen.iki.fi> <C949D5C9077942ACA31105FE4156154E@buildpc> <21504.31762.454252.961126@fireball.kivinen.iki.fi> <DC2FED9C253548E5875C4E5CCCFD40D0@buildpc> <4A81BADF09C04D50BFA83D59711A0EF7@buildpc> <8139F5C1D4ED4E2181D40A58434ACE3A@buildpc>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 4 min
X-Total-Time: 4 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/nPCrVSVVa82MAEPhl6hHT-lDUK0
Cc: ipsec@ietf.org
Subject: [IPsec] More nits in draft-kivinen-ipsecme-ikev2-rfc5996bis-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 13:53:49 -0000
Valery Smyslov writes:
> 1. Section 3.15.1:
>
> o APPLICATION_VERSION - The version or application information of
> the IPsec host. This is a string of printable ASCII characters
> that is NOT null terminated.
>
> "NOT" is uppercase. Although it might be an intention to ephasise
> the fact, that it is not null terminated, but it looks like RFC2119 word,
> that is not the case.
That "NOT" is intentional and it is used to emphasize the fact there
is no terminator.
> 2. Section 3.16:
>
> o Type (1 octet) is present only if the Code field is Request (1) or
> Response (2). For other codes, the EAP message length MUST be
> four octets and the Type and Type_Data fields MUST NOT be present.
> In a Request (1) message, Type indicates the data being requested.
> In a Response (2) message, Type MUST either be Nak or match the
> type of the data requested. Note that since IKE passes an
> indication of initiator identity in the first message in the
> IKE_AUTH exchange, the responder SHOULD NOT send EAP Identity
> requests (type 1). The initiator MAY, however, respond to such
> requests if it receives them.
> ...
>
> Note that since IKE passes an indication of initiator identity in the
> first message in the IKE_AUTH exchange, the responder should not send
> EAP Identity requests. The initiator may, however, respond to such
> requests if it receives them.
>
> The last para in the section is absolutely equal to the last two sentences
> in the cited bullet, except that it doesn't use RFC2119 wording.
> I failed to see that it adds any value here.
It is to emphasize that you really, really need to leave out those
identity requests. We didn't want to such important thing stay hidden
under the bulleted list describing the fields in payload...
And it has already been fixed during the rfc editor process to have
exactly same RFC2119 wording that the text above has. Current text
says:
----------------------------------------------------------------------
o Type (1 octet) - Present only if the Code field is Request (1) or
Response (2). For other codes, the EAP message length MUST be
four octets and the Type and Type_Data fields MUST NOT be present.
In a Request (1) message, Type indicates the data being requested.
In a Response (2) message, Type MUST either be Nak or match the
type of the data requested. Note that since IKE passes an
indication of initiator identity in the first message in the
IKE_AUTH exchange, the responder SHOULD NOT send EAP Identity
requests (type 1). The initiator MAY, however, respond to such
requests if it receives them.
o Type_Data (variable length) - Varies with the Type of Request and
the associated Response. For the documentation of the EAP
methods, see [EAP].
Note that since IKE passes an indication of initiator identity in the
first message in the IKE_AUTH exchange, the responder SHOULD NOT send
EAP Identity requests. The initiator MAY, however, respond to such
requests if it receives them.
--
kivinen@iki.fi
- [IPsec] Rekeying of child sa, Question on TS hand… Pål Dammvik
- [IPsec] Rekeying of child sa, Question on TS hand… Tero Kivinen
- Re: [IPsec] Rekeying of child sa, Question on TS … Valery Smyslov
- Re: [IPsec] Rekeying of child sa, Question on TS … Pål Dammvik
- Re: [IPsec] Rekeying of child sa, Question on TS … Yoav Nir
- Re: [IPsec] Rekeying of child sa, Question on TS … Kathleen Moriarty
- [IPsec] Typos in draft-kivinen-ipsecme-ikev2-rfc5… Valery Smyslov
- [IPsec] Typos in draft-kivinen-ipsecme-ikev2-rfc5… Tero Kivinen
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Paul Wouters
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Paul Wouters
- [IPsec] More nits in draft-kivinen-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Tero Kivinen
- Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-… Tero Kivinen
- [IPsec] More nits in draft-kivinen-ipsecme-ikev2-… Tero Kivinen