Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08
Sean Turner <turners@ieca.com> Tue, 19 April 2011 12:43 UTC
Return-Path: <turners@ieca.com>
X-Original-To: msec@ietfc.amsl.com
Delivered-To: msec@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 5FE31E0663 for <msec@ietfc.amsl.com>; Tue, 19 Apr 2011 05:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.455
X-Spam-Level:
X-Spam-Status: No, score=-102.455 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Is3lsGcAGnBW for <msec@ietfc.amsl.com>; Tue, 19 Apr 2011 05:43:02 -0700 (PDT)
Received: from nm12.bullet.mail.ac4.yahoo.com (nm12.bullet.mail.ac4.yahoo.com [98.139.52.209]) by ietfc.amsl.com (Postfix) with SMTP id C38D6E0691 for <msec@ietf.org>; Tue, 19 Apr 2011 05:43:02 -0700 (PDT)
Received: from [98.139.52.193] by nm12.bullet.mail.ac4.yahoo.com with NNFMP; 19 Apr 2011 12:43:00 -0000
Received: from [98.139.52.146] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 19 Apr 2011 12:43:00 -0000
Received: from [127.0.0.1] by omp1029.mail.ac4.yahoo.com with NNFMP; 19 Apr 2011 12:43:00 -0000
X-Yahoo-Newman-Id: 43295.14492.bm@omp1029.mail.ac4.yahoo.com
Received: (qmail 45693 invoked from network); 19 Apr 2011 12:43:00 -0000
Received: from thunderfish.local (turners@96.231.127.8 with plain) by smtp112.biz.mail.re2.yahoo.com with SMTP; 19 Apr 2011 05:42:57 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: d6VkIjsVM1lfq_bI6eEuNeZFoZ.jMwUa9GW5F06kDL7ISnQ tHbP1Fd9ld_Jbks5RniOZE0bLol61JuAjTeYgD6guvQ0GhNzSe4Y0t.Q2AEw H6iHznRQpopxNupewmGl_fOJh09V7WmYqSwQ9lqsPgCzVoXjcqtPFXIiMdB9 Dh_OX7WUrM8LXLszYSSNEhQTKHb.QN5hdvvajMu_affEc80V0tVFpS..nixI uL19vmHyVdzY_MGoWaKdyY7wxbFDrQ.z.JJ32iH5awXQlnBWjJ.rucbv8UG3 g5sFMbNY3ISK8bT.RJ8s_aKY6agb.BKDMdsb.sSnvhzmmPqLH1afMjGFWS0O Hmrww6otXIFUo
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4DAD8351.4090303@ieca.com>
Date: Tue, 19 Apr 2011 08:42:57 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9
MIME-Version: 1.0
To: Brian Weis <bew@cisco.com>
References: <4D94540D.1060605@inrialpes.fr> <4D975866.9070102@ieca.com> <4DACA51F.5090300@ieca.com> <BAA928B9-F12D-4D53-83EE-00972652F01B@cisco.com>
In-Reply-To: <BAA928B9-F12D-4D53-83EE-00972652F01B@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: msec@ietf.org
Subject: Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2011 12:43:04 -0000
On 4/18/11 6:12 PM, Brian Weis wrote: > Hi Sean, > > On Apr 18, 2011, at 1:54 PM, Sean Turner wrote: > >> Here's the rest of my comments on Sections 7 and 8 (all in 8): >> >> Section 5.3.7 shows TBD-6 to 9 but the second paragraph in 8.1 only discussed TBD-6. The others should be added in 8.1. >> >> Section 5.6 shows TBD-7 and so does Section 8.1, but there's already a TBD-7 in Section 5.3.7. Maybe renumber the one in Section 5.6 TBD-10? > > I also noticed these issues when removing RSA-PSS. The TBD-7 in Section 5.3.7 became TBD-6, and the rest retain their original numbering. Section 8.1 was also brought up to date. > >> Section 8.2: In the new registries, you need to say what needs to be done to update the registries (e.g., specification required, standards action). > > Vincent also has pointed this out. But Section 8 that says: > > "When the new > registries are added, the following terms are to be applied as > described in the Guidelines for Writing an IANA Considerations > Section in RFCs [RFC5226]: Standards Action, and Private Use." > > From RFC 5226: > > Standards Action - Values are assigned only for Standards Track > RFCs approved by the IESG. > Private Use: Private use only (not assigned), as described in Section 4.1. > > I'm not sure how to be state this more clearly, but it seems as if that's needed. Suggestions are welcome. Brian, The only thing I can think to do is to move the text from 8 to 8.2 and repeat it for each of the new registries. spt >> spt >> >> On 4/2/11 1:09 PM, Sean Turner wrote: >>> #1) Add "updates: 3547 (once approved)" to the header. This will make it >>> match the intro/abstract. I can almost guarantee a discuss from somebody >>> on this. >>> >>> #2) ISAKMP Phase 1 is described in Section 2.1 as "one such mechanism". >>> This isn't a MUST support. As far as I can tell there isn't a MUST >>> implement Phase 1 protocol (the protocols in Appendix A are also just >>> examples). But, to implement this document you've got to do things as >>> described in RFC 2407-2409. It seems like this doc and IKEv1 are pretty >>> well intertwined. And, the g-ikev2 draft doesn't use these formats it >>> uses something else...Let's be clear about what it's being used with. It >>> seems like this section ought to be changed as follows: >>> >>> OLD: >>> >>> The following sections describe one such "phase 1" protocol. Other >>> protocols which may be potential "phase 1" protocols are described in >>> Appendix A. However, the use of the protocols listed there are not >>> considered part of this document. >>> >>> 2.1. ISAKMP Phase 1 protocol >>> >>> This document defines how the ISAKMP phase 1 exchanges as defined in >>> [RFC2409] can be used a "phase 1" protocol for GDOI. The following >>> sections define characteristics of the ISAKMP phase 1 protocols that >>> are unique for these exchanges when used for GDOI. >>> >>> Section 7.1 describes how the ISAKMP Phase 1 protocols meet the >>> requirements of a GDOI "phase 1" protocol. >>> >>> NEW: >>> >>> This document defines how the ISAKMP phase 1 exchanges as defined in >>> [RFC2409] can be used a "phase 1" protocol for GDOI. The following >>> sections define characteristics of the ISAKMP phase 1 protocols that >>> are unique for these exchanges when used for GDOI. >>> >>> Section 7.1 describes how the ISAKMP Phase 1 protocols meet the >>> requirements of a GDOI "phase 1" protocol. >>> >>> >>> Delete the 2.1 header and renumber 2.1.1 and 2.1.2 to 2.1 and 2.2, >>> respectively. >>> >>> I would also delete Appendix A. The currently proposed IKEv2 mechanism >>> isn't reusing these fields and the KINK option never got defined. >>> >>> #3) Sec 3.2: r/Hashes are computed in the manner described within RFC >>> 2409./Hashes are computed in the manner described within [RFC2409]. >>> >>> #4) Sec 3.2: expand prf on first use. >>> >>> #5) Sec 3.3: 2 lower case "must" should they be "MUST"? >>> 1 lower case "should" should it be "SHOULD"? >>> >>> #6) Sec 4.2: Something is wrong with this: >>> >>> Flags MUST have the Encryption bit set according to [RFC2008, Section >>> 3.1]. >>> >>> Maybe it should be: >>> >>> Flags MUST have the Encryption bit set according to Section 3.1 of >>> [RFC2408]. >>> >>> #7) Sec 5: r/in accordance with RFC 2408./in accordance with [RFC2408]. >>> >>> #8) Sec 5.1, 5.2: r/defined in RFC 2408./defined in [RFC2408]. >>> >>> #9) Sec 5.2: This is difficult to parse: >>> >>> The >>> next payload MUST NOT be a SAK Payload or SAT Payload type, but the >>> next non-Security Association type payload. >>> >>> Maybe it's supposed to be: >>> >>> The >>> next payload MUST NOT be a SAK Payload or SAT Payload type; it MUST >>> be the >>> next non-Security Association type payload. >>> >>> #9) Sec 5.2: r/Must/MUST X4 >>> >>> #10) Sec 5.2.1: r/SA Attributes payloads must be/SA Attributes payloads >>> MUST be >>> >>> #11) Sec 5.3: r/Must/MUST X2 >>> r/should/SHOULD >>> r/must/MUST >>> >>> #12) Sec 5.3: What is the conformance requirement for the following: >>> >>> Any or all attributes may be optional, depending on the group policy. >>> >>> #13) Sec 5.3.1: >>> >>> r/ attributes may be present / attributes MAY be present or change to >>> say they are OPTIONAL. >>> >>> r/attributes must/attributes MUST >>> >>> #14) Sec 5.3.1: >>> >>> The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a >>> GROUPKEY-PULL message. >>> >>> What happens if it's included in the PUSH message? >>> >>> #15) Just noted to instances of GROUPKEY_. Aren't they supposed to be >>> GROUPKEY-*? >>> >>> #16) Sec 5.3.3.3: r/as recommended in/as defined in >>> >>> #17) Sec 5.3.6: Any reason not to point to FIPS 180-3? >>> >>> #18) Sec 5.3.6: r/and SIG_HASH_ALGORITHM is not required to be present >>> in a SAK Payload/and SIG_HASH_ALGORITHM is OPTIONAL in a SAK Payload >>> >>> #19) Sec 5.3.7: Does anybody really want RSA-PSS? >>> >>> #20) Sec 5.4: r/Must/MUST >>> r/Section 3.3 of RFC 2408./Section 3.3 of [RFC2408]. >>> >>> #21) Sec 5.4.1: r/ Section 4.2.1 of RFC 5374/Section 4.2.1 of [RFC5374] >>> r/should/SHOULD X2 ?? >>> >>> #22) Sec 5.5: r/Must/MUST >>> >>> #23) Sec 5.5.1: Protocol, SEC ID Port, DST ID Prot, DST ID Port bullets >>> r/should/SHOULD ? >>> >>> #24) Sec 5.5.1: r/from RFC 2407/from [RFC2407] >>> r/[RFC2407],/[RFC2407]), >>> r/ESP must also/ESP MUST also >>> >>> #25) Sec 1.3: Add GSPD >>> >>> #26) Sec 5.5.1.1.1: r/ RFC 5374/[RFC5374] >>> >>> #27) Sec 5.5.1.1.1: r/must/MUST ? >>> >>> #28) Sec 5.5.1.1.1: In the following, is 2119 language needed: >>> >>> SA TEK payload >>> may be required in one or both directions. >>> >>> #29) Sec 5.5.2: r/All Security Protocols must provide/All Security >>> Protocols MUST provide >>> >>> #30) Sec 5.6.1: r/The attributes must follow/The attributes MUST follow >>> r/At least one TEK must be/At least one TEK MUST be >>> >>> #31) Sec 5.6.1.2: r/to the member./to the GM. >>> >>> #32) Sec 5.6.2 and 5.6.3: r/The attributes must follow/The attributes >>> MUST follow >>> >>> #33) Sec 5.6.3 and 5.6.3.1: r/there must be only/there MUST be only >>> >>> #34) Sec 5.6.3.1 and 5.6.3.2: r/Must/MUST >>> >>> #35) Sec 1.3: add SSIV >>> >>> #36) Sec 5.7: r/Must/MUST >>> r/must/MUST X3 >>> >>> #37) Sec 5.9: r/must be deleted, they must be/are to be deleted, they >>> MUST be >>> >>> #38) Sec 10: References for 2403, 2404, 2407-2409, 3447, 4106, 4543, >>> 4754, 4868, 5903 are normative according to the following: >>> http://www.ietf.org/iesg/statement/normative-informative.html >>> >>> Assuming you delete App A, remove references to 4330 and 5996. >>> >>> Please ensure the classification of the other references are in >>> accordance with the IESG statement. If you've got any questions, let me >>> know. I don't want to find out later that some informative reference to >>> an informative RFC is actually a normative reference and we need to do a >>> 2nd IETF LC to note the DOWNREF. >>> >>> I still need to finish Section 7 and 8. >>> >>> spt >>> >>> >>> On 3/31/11 12:14 PM, Vincent Roca wrote: >>>> Hello everybody, >>>> >>>> As you probably noticed the GDOI draft has been significantly >>>> updated WRT the previous 07 version. For details see: >>>> >>>> http://tools.ietf.org/rfcdiff?url2=draft-ietf-msec-gdoi-update-08.txt >>>> >>>> This situation motivates another WGLC. So please review >>>> >>>> draft-ietf-msec-gdoi-update-08 >>>> http://datatracker.ietf.org/doc/draft-ietf-msec-gdoi-update/ >>>> >>>> and send comments to the WG mailing list by April 18th. >>>> (NB: if ever this deadline is too close, then tell me...) >>>> >>>> Regards, >>>> >>>> Vincent >>>> _______________________________________________ >>>> MSEC mailing list >>>> MSEC@ietf.org >>>> https://www.ietf.org/mailman/listinfo/msec >>>> >>> _______________________________________________ >>> MSEC mailing list >>> MSEC@ietf.org >>> https://www.ietf.org/mailman/listinfo/msec >>> >> _______________________________________________ >> MSEC mailing list >> MSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/msec > >
- [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Vincent Roca
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Sean Turner
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Yoav Nir
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Brian Weis
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Sean Turner
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Sean Turner
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Sean Turner
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Brian Weis
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Brian Weis
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Brian Weis
- Re: [MSEC] WGLC on draft-ietf-msec-gdoi-update-08 Sean Turner