[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ipsec-ipsec-doi-01.txt



Some quibbles regarding the IPsec DOI definitions, that I just tripped over
while trying to define a text-based SA exchange format. Basically, if we're
going to a) name and b) number protocol entities, we need to ensure that the
list is both intelligible and complete.

	4.4.3 IPSEC AH Transform Values

	       Transform                           Value
	       ---------                           -----
	       RESERVED                            0
	       AH_1828                             1
	       AH_HMAC_MD5_REPLAY                  2
	       AH_MHAC_SHA_REPLAY                  3
 
I object to the use of RFC numbers in the name of the transform; it's
either meaningless or obscure, depending on who you ask. AH_MD5 would be
better than AH_1828.

The "AH_HMAC_MD5" transform is missing from the list. While this transform
never became an RFC, it is in use by several vendors, and so needs an
identifier for proper interoperability. (Yes, it's a proper subset of
AH_HMAC_MD5_REPLAY, But to support historical implementations, I think it
needs to be kept separate. I'm willing to negotiate on this one :-)


	4.4.4 IPSEC ESP Transform Identifiers

	       Transform ID                        Value
	       ------------                        -----
	       RESERVED                            0
	       ESP_1829_TRANSPORT                  1
	       ESP_1829_TUNNEL                     2
	       ESP_DES_CBC_HMAC_REPLAY             3

Again, I object to the use of RFC numbers in the name; IMHO, these should be
"ESP_DES_CBC_TRANSPORT" and "ESP_DES_CBC_TUNNEL". (And I though the
"transport" v.s. "tunnel" distinction was an RFC 1827 thing; if so,
shouldn't we be consistent here?)

ESP_3DES_CBC is missing (RFC 1851). Again, there are vendors using this
already; an ID and number are required for interoperability.

</soapbox> :-)

-- 
C. Harald Koch          | Senior System Developer, Secure Computing Canada Ltd.
chk@border.com          | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8
+1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change."
+1 416 368 7789 (fax)   |		-Karen Murphy <karenm@descartes.com>


References: