Re: [secdir] SECDIR review of draft-ietf-hokey-erp-aak

Qin Wu <bill.wu@huawei.com> Fri, 10 February 2012 01:26 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3D511E8094; Thu, 9 Feb 2012 17:26:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.907
X-Spam-Level:
X-Spam-Status: No, score=-5.907 tagged_above=-999 required=5 tests=[AWL=0.692, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjHRJJaAetav; Thu, 9 Feb 2012 17:26:01 -0800 (PST)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) by ietfa.amsl.com (Postfix) with ESMTP id AD79B11E8079; Thu, 9 Feb 2012 17:26:01 -0800 (PST)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LZ500CLLLB20Z@szxga03-in.huawei.com>; Fri, 10 Feb 2012 09:25:50 +0800 (CST)
Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LZ500E8MLB2P8@szxga03-in.huawei.com>; Fri, 10 Feb 2012 09:25:50 +0800 (CST)
Received: from szxeml202-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AGZ88683; Fri, 10 Feb 2012 09:25:12 +0800
Received: from SZXEML402-HUB.china.huawei.com (10.82.67.32) by szxeml202-edg.china.huawei.com (172.24.2.42) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 10 Feb 2012 09:25:00 +0800
Received: from w53375q (10.138.41.130) by szxeml402-hub.china.huawei.com (10.82.67.32) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 10 Feb 2012 09:25:03 +0800
Date: Fri, 10 Feb 2012 09:25:02 +0800
From: Qin Wu <bill.wu@huawei.com>
X-Originating-IP: [10.138.41.130]
To: Radia Perlman <radiaperlman@gmail.com>
Message-id: <468389BD4CC24892A8094B8A3D1C6EFE@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
X-CFilter-Loop: Reflected
References: <CAFOuuo7Q-inZd_1cKqZAQF4B7mTkQTudu8txnrK2uH5QjMQgcQ@mail.gmail.com> <0BD5C6E31FDC4BDC9813D221CD296680@china.huawei.com> <CAFOuuo7btOZnD-a5-kcSwF4wg+FKsUbRsUJumkRR7E39xHJPYA@mail.gmail.com>
Cc: draft-ietf-hokey-erp-aak.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-ietf-hokey-erp-aak
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2012 01:26:02 -0000

Hi, Radia:
We will impement the clarification texts into the update to fix the issues you pointed out below. 
Thank you again.

Regards!
-Qin
----- Original Message ----- 
From: "Radia Perlman" <radiaperlman@gmail.com>;
To: "Qin Wu" <bill.wu@huawei.com>;
Cc: "The IESG" <iesg@ietf.org>;; <secdir@ietf.org>;; <draft-ietf-hokey-erp-aak.all@tools.ietf.org>;
Sent: Friday, February 10, 2012 2:51 AM
Subject: Re: SECDIR review of draft-ietf-hokey-erp-aak


Inline

>> In the 4th paragraph before section 5.3, it talks about computing an integrity
>> checksum over the ERP/AAK packet, excluding the authentication tag field.
>> Does this mean that the authentication tag field is zeroed out for the
>> computation,
>> or that the message is truncated to exclude that field?
>
> [Qin]: I think it is the latter case. The integrity checksum over ERP/AAK packet is computed
> from the first bit of code field of packet to the last bit of cryptosuit field of the packet which
> is placed before authenticator tag field.

I don't care which it is.  But the document has to specify.  I assume
when answering me, you were also going to specify it in the document.
:-)

>
>> In the paragraph before section 5.3, it talks about silently discarding the
>> EAP-Initiate/Re-auth packet if it's not supported by the SAP. On a silent
>> discard, how long do you wait for a response before assuming there won't be any,
>> or perhaps that it got lost? (does it run over a reliable Transport? Even so,
>> it might be silently discarded).
>
> [Qin]: That's a good point. In the case of SAP initiating ERP/AAK, this is not a issue since SAP has
> already support ERP/AAK. In the case of Peer initiating ERP/AAK, the peer should maintain
> retransmission timer and maximum retransmission times. Based on retransmission timeout estimation,
> the peer can know there won't be any response. Does this address your comment?

That is somewhat significant text (not just a typo), but I assume
you'll get it right.

Radia