[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-00.txt
On Thu, 31 Oct 2002 Internet-Drafts@ietf.org wrote:
> Title : Requirements for Plug and Play IPsec for IPv6
> applications
> Author(s) : T. Kobayakawa, S. Miyakawa
> Filename : draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-00.txt
> Pages : 5
> Date : 2002-10-30
>
> This document describes requirements about how IPsec is supplemented
> for IPv6 Plug and Play applications.
Comments.
Substantial:
There is another reason for Internet users to choose IPv6. IPv6 is
believed to be equipped with IPsec as default, and many users choose
IPv6 because of IPsec. However, IPsec is independent from version
numbers of IP, and IPv6 does not have special advantages for IPsec.
We have two options to cope with this myth:
==> "no special advantages" is not true. Well, directly, there seem to be
no special advantages. But increased address space and e2e addressing
make e2e IPSEC much easier -- NAT boxes severely hinder IPSEC usability.
However, we should
not mandate the existence of this outside server because there are
many situations in which such servers are not available, and IP layer
authentication and Man-in-the-Middle protection are not important.
==> I don't understand this at all. Please elaborate a bit. I fail
to see cases when MITM protection is irrelevant.
After the establishment of this security level of IPsec SAs,
authentication, authorization, accounting, and Man-in-the-Middle
prevention are added on to those SAs.
==> how are these added there? I fail to see how establishing possibly
MITM'ed "authenticated" IPSEC SA's helps _any_ with this.
==> You forgot Security Considerations section. I believe using IPSEC
when it's known to be possibly wrong is not good -- no security is better
than false sense of security.
Editorial:
==> many places s/configurations/configuration/
abundant (IPv4 global addresses are not, especially in Asia.) Such
peer-to-peer applications often require authentication and secrecy
mechanisms, which are provided by IPsec.
==> s/are provided/can be provided/
Many IPv6 applications assume embedded devices without keyboard and
display. For embedded devices, maintaining X.509 certificate, such
as Certificate Update and Certificate Revocation Handling, is too
heavy and often diminishes the usability.
==> reword this, the latter part isn't clearly related to _maintaining_
certificates.
but it's not practical to apply to IP communications.) Assuming no
==> s/.)/)./
Just "key-exchange-before-all-the-communication" does not work
because it forces delay on all the communications regardless of this
kind of IPsec supports.
==> reword the last part, e.g. "support for PnP IPSEC".
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords