[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 draft nits

To: ipsec@lists.tislabs.com
Subject: IKEv2 draft nits
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Tue, 11 Nov 2003 09:16:19 -0800
Mail-followup-to: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com
User-agent: Mutt/1.4i

1) AUTH IDs are allocated to the IANA for assignment, CERT IDs are not -
   this is problematic because the two will generally go together and so
   should be allocated together.

   Sections 3.6 and 6 should be updated to show that CERT IDs are to be
   allocated by the IANA.


2) A number of CERT IDs are allocated without corresponding
   specifications being available.  Either this should be noted and such
   allocations marked as "reserved for ..." or, if noone uses them,
   these reservations should be removed.

   The existing AUTH IDs obviously do not apply to apply to at least one
   CERT ID ("Kerberos Token").

   Presumably "Kerberos Token" means an AP-REQ for the initiator and an
   AP-REP for the responders, followed by KRB-SAFE(auth octets)
   exchanges as AUTH values - except that no such AUTH ID is allocated!

   Is the "Kerberos Token" CERT used at all?  If not, you amy want to
   remove it - otherwise this I-D could use some clarification in wrt
   "Kerberos Token."


3) Rather than allocate a CERT and AUTH ID to "Kerberos Token," if you
   still would, it really would be better still to allocate a CERT and
   AUTH ID to "GSS-API Token."


4) The text in section 2.15 describing the octets to be signed by the
   AUTH payloads is rather, er, informal; if there's any way to make the
   description more formal, please do so.


Cheers,

Nico
--

Prev by Date: [no subject]
Next by Date: Re: Meta-comment: use of "red" / "black" terminology...
Previous by thread: [no subject]
Next by thread: Matt Mathis: Re: [pmtud] PMTUD status
Index(es):
- Date
- Thread