[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ipsec-ipsec-doi-01.txt



> From: "C. Harald Koch" <chk@border.com>
> 	       AH_1828                             1
>              AH_HMAC_MD5_REPLAY                  2
>              AH_MHAC_SHA_REPLAY                  3
>
> I object to the use of RFC numbers in the name of the transform; it's
> either meaningless or obscure, depending on who you ask. AH_MD5 would be
> better than AH_1828.
>
Personally, I was using AH_MD5_KP, that is, keyed with padding.

For a more explict set of letters, I would suggest AH_MD5_KPDK, for
Key_Pad_Data_Key.

Could we agree to reverse the others to AH_MD5_HMAC_REPLAY and
AH_SHA1_HMAC_REPLAY, as more descriptive and intuitive, and matching the
term ordering of ESP_DES_CBC_HMAC_REPLAY?



> The "AH_HMAC_MD5" transform is missing from the list. While this transform
> never became an RFC, it is in use by several vendors, and so needs an
> identifier for proper interoperability. (Yes, it's a proper subset of
> AH_HMAC_MD5_REPLAY, But to support historical implementations, I think it
> needs to be kept separate. I'm willing to negotiate on this one :-)
>
I agree.  Identifiers should be assigned as needed, to distinguish even
past and future proprietary transforms.



> 	       RESERVED                            0
> 	       ESP_1829_TRANSPORT                  1
> 	       ESP_1829_TUNNEL                     2
>              ESP_DES_CBC_HMAC_REPLAY             3
>
> Again, I object to the use of RFC numbers in the name; IMHO, these should be
> "ESP_DES_CBC_TRANSPORT" and "ESP_DES_CBC_TUNNEL". (And I though the
> "transport" v.s. "tunnel" distinction was an RFC 1827 thing; if so,
> shouldn't we be consistent here?)
>
> ESP_3DES_CBC is missing (RFC 1851). Again, there are vendors using this
> already; an ID and number are required for interoperability.
>
Again, I agree.  However, I'd suggest ESP_1DES_CBC_TRANSPORT, etc., to
more easily distinguish it from 3DES in the eyes of the operator.  These
things have a tendency to show up in the configuration menus.  ;-)

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2