[MSEC] Comments on draft-ietf-msec-gdoi-update-08
Suresh Melam <nmelam@juniper.net> Sat, 11 June 2011 00:58 UTC
Return-Path: <nmelam@juniper.net>
X-Original-To: msec@ietfa.amsl.com
Delivered-To: msec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236AE9E8039 for <msec@ietfa.amsl.com>; Fri, 10 Jun 2011 17:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1SgW-79ZVBOi for <msec@ietfa.amsl.com>; Fri, 10 Jun 2011 17:58:03 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by ietfa.amsl.com (Postfix) with ESMTP id 640B59E802C for <msec@ietf.org>; Fri, 10 Jun 2011 17:58:03 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKTfK9msDrunXUFH/EmyV6FadZYEtqPiye@postini.com; Fri, 10 Jun 2011 17:58:03 PDT
Received: from juniper.net (10.150.59.109) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.2.254.0; Fri, 10 Jun 2011 17:54:48 -0700
Date: Fri, 10 Jun 2011 17:54:46 -0700
From: Suresh Melam <nmelam@juniper.net>
To: msec@ietf.org
Message-ID: <20110611005446.GA6618@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Stephen Hanna <shanna@juniper.net>
Subject: [MSEC] Comments on draft-ietf-msec-gdoi-update-08
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2011 00:58:04 -0000
Hi, I've looked at the Appendix C. and some of the other related changes. These changes look good and makes the GDOI protocol more robust. While obviously Juniper hasn't already implemented these changes yet, they are not in conflict with what was already done. One comment, ----------- In Sec: 5.6.4.3. Group Member Semantics The SID_VALUE attribute value distributed to the group member MUST be used by that group member as the SID field portion of the IV for all Data-Security SAs including a counter-based mode of operation distributed by the GCKS as a part of this group. When the Sender-Specific IV (SSIV) field for any Data-Security SA is exhausted, the group member MUST no longer act as a sender on that SA using its active SID. The group member SHOULD re-register, at which time the GCKS will issue a new SID to the group member, along with either the same Data-Security SAs or replacement ones. The new SID replaces the existing SID used by this group member, and also resets the SSIV value to its starting value. A group member MAY re-register prior to the actual exhaustion of the SSIV field to avoid dropping data packets due to the exhaustion of available SSIV values combined with a particular SID value. A group member MUST NOT process an SID Download Type KD payload present in a GROUPKEY-PUSH message. ----------- If a member receives a new set of keys for an existing Data-Security SA in a GROUPKEY-PUSH exchange, there will not be any new SIDs in the message so that not all members have the same SID. However, it is not clearly specified whether or not member should consider resetting SSIV range. Since it is a new combination of (SID+key) (key being new, though SID is same), previous values of SSIV based on the SID, can be reused for the new key. This way there is significantly less chance of SSIV getting exhausted, and hence avoiding unnecessary GROUPKEY-PULL message to obtain a new SID. thanks, -suresh