[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-00.txt



On Thu, 31 Oct 2002 Internet-Drafts@ietf.org wrote:
> 	Title		: Requirements for Plug and Play IPsec for IPv6 
>                           applications
> 	Author(s)	: T. Kobayakawa, S. Miyakawa
> 	Filename	: draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-00.txt
> 	Pages		: 5
> 	Date		: 2002-10-30
> 	
> This document describes requirements about how IPsec is supplemented
> for IPv6 Plug and Play applications.

Comments.

Substantial:

   There is another reason for Internet users to choose IPv6.  IPv6 is
   believed to be equipped with IPsec as default, and many users choose
   IPv6 because of IPsec.  However, IPsec is independent from version
   numbers of IP, and IPv6 does not have special advantages for IPsec.
   We have two options to cope with this myth:


==> "no special advantages" is not true.  Well, directly, there seem to be 
no special advantages.  But increased address space and e2e addressing 
make e2e IPSEC much easier -- NAT boxes severely hinder IPSEC usability.

However, we should
   not mandate the existence of this outside server because there are
   many situations in which such servers are not available, and IP layer
   authentication and Man-in-the-Middle protection are not important.

==> I don't understand this at all.  Please elaborate a bit.  I fail 
to see cases when MITM protection is irrelevant.

   After the establishment of this security level of IPsec SAs,
   authentication, authorization, accounting, and Man-in-the-Middle
   prevention are added on to those SAs.

==> how are these added there?  I fail to see how establishing possibly 
MITM'ed "authenticated" IPSEC SA's helps _any_ with this.




==> You forgot Security Considerations section.  I believe using IPSEC 
when it's known to be possibly wrong is not good -- no security is better 
than false sense of security.

Editorial:

==> many places s/configurations/configuration/

   abundant (IPv4 global addresses are not, especially in Asia.)  Such
   peer-to-peer applications often require authentication and secrecy
   mechanisms, which are provided by IPsec.

==> s/are provided/can be provided/

   Many IPv6 applications assume embedded devices without keyboard and
   display.  For embedded devices, maintaining X.509 certificate, such
   as Certificate Update and Certificate Revocation Handling, is too
   heavy and often diminishes the usability.

==> reword this, the latter part isn't clearly related to _maintaining_ 
certificates.

   but it's not practical to apply to IP communications.)  Assuming no

==> s/.)/)./

   Just "key-exchange-before-all-the-communication" does not work
   because it forces delay on all the communications regardless of this
   kind of IPsec supports.

==> reword the last part, e.g. "support for PnP IPSEC".

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords