Re: [rohc] AD comments on draft-ietf-rohc-ipsec-extensions-hcoipsec-04
"Ertekin, Emre [USA]" <ertekin_emre@bah.com> Tue, 19 May 2009 22:23 UTC
Return-Path: <prvs=383151d1e=ertekin_emre@bah.com>
X-Original-To: rohc@core3.amsl.com
Delivered-To: rohc@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEE373A6EB5 for <rohc@core3.amsl.com>; Tue, 19 May 2009 15:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaqioXddbbYl for <rohc@core3.amsl.com>; Tue, 19 May 2009 15:23:58 -0700 (PDT)
Received: from mclniron02-ext.bah.com (mclniron02-ext.bah.com [156.80.1.73]) by core3.amsl.com (Postfix) with ESMTP id D11273A6E4D for <rohc@ietf.org>; Tue, 19 May 2009 15:23:57 -0700 (PDT)
x-SBRS: None
X-REMOTE-IP: 156.80.7.153
X-IronPort-AV: E=Sophos;i="4.41,217,1241409600"; d="scan'208";a="19313263"
Received: from mclnexbh03.resource.ds.bah.com ([156.80.7.153]) by mclniron02-int.bah.com with ESMTP; 19 May 2009 18:25:34 -0400
Received: from MCLNEXVS05.resource.ds.bah.com ([156.80.7.121]) by mclnexbh03.resource.ds.bah.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 May 2009 18:25:34 -0400
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 19 May 2009 18:25:25 -0400
Message-ID: <37BDD2FAF2AEAE459C6C70FDC2892E4E04A1E170@MCLNEXVS05.resource.ds.bah.com>
In-Reply-To: <4A0C421C.8000803@ericsson.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: AD comments on draft-ietf-rohc-ipsec-extensions-hcoipsec-04
Thread-Index: AcnUrk3cUhtG2NpmRi2vccc21nGB1gD9YDAg
References: <4A0C421C.8000803@ericsson.com>
From: "Ertekin, Emre [USA]" <ertekin_emre@bah.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-rohc-ipsec-extensions-hcoipsec@tools.ietf.org, rohc@ietf.org
X-OriginalArrivalTime: 19 May 2009 22:25:34.0600 (UTC) FILETIME=[BA3B1080:01C9D8D0]
Subject: Re: [rohc] AD comments on draft-ietf-rohc-ipsec-extensions-hcoipsec-04
X-BeenThere: rohc@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Robust Header Compression <rohc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rohc>, <mailto:rohc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rohc>
List-Post: <mailto:rohc@ietf.org>
List-Help: <mailto:rohc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rohc>, <mailto:rohc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2009 22:27:00 -0000
Hi Magnus,
Please find our responses to your comments on the IPsec extensions
draft.
> Section 3.1:
>
> Shouldn't it be discussed when this protocol number is appropriate to
> be
> used. To me it appears that some requirements need to be fulfilled
> before one uses it on a particular layer. Running ROHC straight on top
> of IPv6 for example seems like a bad idea in most case due to such
> considerations as security and denial of service for the decompressor,
> the multi-hop environment, and lack of clear logical channel.
This is good idea. At the end of the section, we can add a paragraph
that describes usage considerations of the ROHC protocol number.
However, we would like to craft the paragraph such that it doesn't
preclude the ROHC protocol number use in other scenarios. Rather, the
text will identify considerations that need to be accounted for if the
ROHC protocol number is used for some other purpose.
>
> Section 3.2.1:
>
> I think the language in this section could be benefit from being
> written
> in active tense saying what to do, rather than what happens.
Especially
> when we comes to bullets like:
>
> The decompressed packet is used with the integrity algorithm
(and
> its respective key) to compute a ROHC ICV that is compared to
the
> appended ICV (if these two values differ, the packet is dropped)
>
> The second parenthesis seems to be a very hard requirement because
> otherwise the ROHCoIPsec solution doesn't have a clear integrity
> preserving property.
OK - I will clean up the text in this section (and section 3.3.) based
on your comment.
> Section 3.2.1:
>
> What ICV algorithms and key lengths must be supported in the
> implementations? This is to ensure that there are at least one
> algorithm
> and key length that are supported by everyone.
This was discussed in a separate email thread. I would recommend that
we remain consistent the AUTH algorithm requirements defined in RFC
4835:
Requirement Algorithm
----------- ----------------
MUST HMAC-SHA1-96
SHOULD+ AES-XCBC-MAC-96
MAY HMAC-MD5-96
Note, however, that this does not necessarily mean that HMAC-SHA1-96
must be negotiated for any particular ROHC-enabled SA. What is actually
negotiated depends on depends on policy. Specification of the above
provides a "common denominator" for the AUTH algorithm that is available
for use across all ROHCoIPsec implementations.
BR,
Emre
- [rohc] AD comments on draft-ietf-rohc-ipsec-exten… Magnus Westerlund
- Re: [rohc] AD comments on draft-ietf-rohc-ipsec-e… Ertekin, Emre [USA]
- Re: [rohc] AD comments on draft-ietf-rohc-ipsec-e… Magnus Westerlund