[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editorial notes on arch-sec-04



Henry,

>A rereading of arch-sec-04 turned up a couple of small things, which I
>*think* are entirely editorial in nature...
>
>1. If 4.4.3 needs to be fixed to reflect the reduced requirements for SA
>re-use in 5.1.1, then I think the second-last paragraph of 4.4.1 needs
>similar adjustments (especially that MUST at the end).
>
>2. Section 5 begins:
>
>   The SPD must be consulted during the processing of all traffic
>   (INBOUND and OUTBOUND), including non-IPsec traffic.  Note that the
>   SPD requires distinct entries for inbound and outbound traffic.  One
>   can think of this as separate SPDs (inbound vs. outbound).  Note also
>   that a nominally separate SPD must be provided for each IPsec-enabled
>   interface.
>
>"Note that" is usually a short form of "As should be obvious from what has
>been already explained", i.e. it is calling attention to something that
>you could have already figured out.  Except that here it's not; there is
>not the slightest hint in previous material, and for that matter there's
>relatively little hint in the rest of section 5, that such distinctions
>are called for.  I would delete "Note that" and "Note also that".
>
>I think these issues should be mentioned -- if only with a forward
>reference -- in either 4.4.1 or 4.4.2.  4.4.1 repeatedly refers to *the*
>SPD, strongly implying that there is only one.  If we're not talking about
>a model with separate SPDs, then this discussion has quietly added what
>are effectively two more selectors to the list in 4.4.2, and a warning
>there would be in order, since 4.4.2's wording implies that its list is
>complete.

We can reword this paragraph in section 5 and add some pointers in previous
sections, as you suggested.  We added this text when we realized that we
had not made explicit the notion that SPDs are intirnsically directional,
although I'm sure implementors have been following such an approach.  After
all, since SPD entries are cast in terms of soure and destinations
addresses, directionality is critical.

Steve




References: