[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revised drafts -- Arch, AH, ESP

To: Karen Seo <kseo@bbn.com>
Subject: Re: Revised drafts -- Arch, AH, ESP
From: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>
Date: Tue, 07 Jul 1998 22:03:03 +0900
cc: ipsec@tis.com
In-reply-to: kseo's message of "Mon, 06 Jul 1998 18:25:58 EDT."
Sender: owner-ipsec@ex.tis.com

Regarding the capital words, I browsed through the draft and found
the following.

In section 5.2.1 "Selecting and Using an SA or SA Bundle"
              In general, a packet's source address MUST match the SA
              selector value.  However, an ICMP packet received on a tunnel
              mode SA MAY have a source address other than that bound to
              the SA and thus such packets should be permitted as
              exceptions to this check.  For an ICMP packet, the selectors

"MAY" should be "may".  Also, in my opinion, "MUST" should be "must".
Besides, the construct of this paragraph "In general... MUST...
However... should..." seems not very good.  I think it should be
something like: "Implementation MUST support exact match.
Implementation SHOULD be able to pass non-matching ICMP."


In Appendix B.3.1 "Identifying the Originating Host(s)"
   Since only the latter approach is feasible in all instances, a
   security gateway MUST provide such support, as an option.  However,
   if the ICMP message contains more information from the original
   packet, e.g., the 576 byte minimum for IPv6, then there MAY be enough
   information to immediately determine to which host to propagate the
   ICMP/PMTU message and to provide that system with the 5 fields
   (source address, destination address, source port, destination port,
   and transport protocol) needed to determine where to store/update the
   PMTU.  Under such circumstances, a security gateway MUST generate an
   ICMP PMTU message immediately upon receipt of an ICMP PMTU from
   further down the path.  NOTE: The Next Protocol field MAY not be
   contained in the 576 bytes and the use of ESP encryption MAY hide the
   selector fields that have been encrypted.

All "MAY"s should be "may".  (I wish the second "MUST" be replaced
with "SHOULD"...)


That's all for now.  I think we need some discussion whether some of
"MUST" really need to be "MUST", but I think this point was raised in
the mailing list already and the opions were "publish RFC, fix later,"
if I remember correctly.

Regards,


					FUKUMOTO Atsushi
					fukumoto@isl.rdc.toshiba.co.jp

Prev by Date: Re: IPsec and Fragmentation
Next by Date: simultaneous lifetime type support required?
Prev by thread: Re: Revised drafts -- Arch, AH, ESP
Next by thread: Re: Revised drafts -- Arch, AH, ESP
Index(es):
- Main
- Thread