[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some comments to draft-ietf-ipsec-ikev2-00.txt



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
    Tero> Just a side note, that in road warrior cases the normal TSi and TSr
    Tero> are going to be the traffic selectors for the DHCP over ipsec SA which
    Tero> ise used to the get the internal ip address for the host.

  Do you think that we need some special TSx to indicate this kind of
situation?

    Tero> Proposal and transform substructures are missing the criticality flags
    Tero> included in all other generic payload headers. I think it would be
    Tero> better to have only one generic payload header format... 

  I would agree. Even if we agree that proposals are never "critical" (not
understanding a proposal means you do not select it), we should reserve the
bit there.

    >> For Transform Type 3 (Authentication Method), defined Transform-IDs
    >> are:
    >> 
    >> Name                        Number              Defined In
    >> RESERVED                      0
    >> Methods in IKEv1              1 - 5             (RFC2409)
    >> Authenticated Diffie-Hellman  6                 (this memo)

    Tero> Why do we need methods for IKEv1 here? This is in completely separate
    Tero> place compared to the IKEv1, so compability cannot be the issue,
    Tero> especially when none of the numbers defined by the IKEv1 are not used
    Tero> here (and I don't assume any of the numbers are going to be used). 

  Just to keep the number of number spaces to a minimum?

    Tero> I think it would be better to change the format of subnet selectors to
    Tero> be IPVx_ADDRESS + Number of bits in the mask. It would remove the
    Tero> problems what to do when the other end proposes mask 0xff00ff00?
    Tero> (According to above it is completely valid :-)

  I think this is reasonable.
  It would be nice if we could have IPVx_ADDRESS+prefixlen be the ONLY format 
supported. But, it has to be the RANGE version, since that is the most general.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPBT0tIqHRg3pndX9AQG6fAQAu5jYRm9zaeGSNyo3665i5dH8emeHqP5b
eqckHoWzkq6DEBuJ5BrHMdJy9+JG8cvbdY9BUi78tgQr7pY21Pnd1KXmvv2QKIuR
iG4KRfLQa1l41b5wwtkFwsc4g/ndewvOgMfH6Nkz0mgoyuwcFjHL+dmp7ZB7JvpY
htvZRu/4yAo=
=eg0z
-----END PGP SIGNATURE-----


References: