[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
editorial notes on arch-sec-04
A rereading of arch-sec-04 turned up a couple of small things, which I
*think* are entirely editorial in nature...
1. If 4.4.3 needs to be fixed to reflect the reduced requirements for SA
re-use in 5.1.1, then I think the second-last paragraph of 4.4.1 needs
similar adjustments (especially that MUST at the end).
2. Section 5 begins:
The SPD must be consulted during the processing of all traffic
(INBOUND and OUTBOUND), including non-IPsec traffic. Note that the
SPD requires distinct entries for inbound and outbound traffic. One
can think of this as separate SPDs (inbound vs. outbound). Note also
that a nominally separate SPD must be provided for each IPsec-enabled
interface.
"Note that" is usually a short form of "As should be obvious from what has
been already explained", i.e. it is calling attention to something that
you could have already figured out. Except that here it's not; there is
not the slightest hint in previous material, and for that matter there's
relatively little hint in the rest of section 5, that such distinctions
are called for. I would delete "Note that" and "Note also that".
I think these issues should be mentioned -- if only with a forward
reference -- in either 4.4.1 or 4.4.2. 4.4.1 repeatedly refers to *the*
SPD, strongly implying that there is only one. If we're not talking about
a model with separate SPDs, then this discussion has quietly added what
are effectively two more selectors to the list in 4.4.2, and a warning
there would be in order, since 4.4.2's wording implies that its list is
complete.
Henry Spencer
henry@spsystems.net
(henry@zoo.toronto.edu)
Follow-Ups: