[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 allocation policies
Michael,
Thanks for the list of motivations! Some comments inline:
> Motivation for these rules:
>
> IKEv2 Exchange types Standards Action.
> IKEv2 Security Protocol Identifiers Standards Action.
>
> I believe that new exchange types will be entirely new protocols, or
> significant extensions. If they are sufficiently different to be totally
> incompatible, then they could run on their own port. If they aren't
> that incompatible, then I presume that we need to think hard about this.
Yes.
> IKEv2 Encryption Transform IDs expert review.
> IKEv2 Pseudo-random Transform IDs expert review.
> IKEv2 Integrity Algorithm Transform IDs expert review.
> IKEv2 Notification IPCOMP Transform IDs expert review.
>
> Algorithms are relatively simple to standardize, and if an implementation
> does not understand them, then it can just ignore them.
Fine.
> IKEv2 Diffie-Hellman, ECP/EC2N Specification Required.
>
> If one guess wrong, then an extra round trip is required. It seems that
> there should be very little reason to have private definitions that are
> not published somewhere.
Ok.
> IKEv2 Payload Types Specification Required.
>
> New payloads will be significant features, so need to be described.
> IKEv1's lack of a critical bit meant it was effectively Standards Action,
> so this is a relaxation.
Hmm.... I think Specification Required is quite weak. Does this mean
that with the critical bit set to 1, a vendor (with documentation) can
prevent interoperability with a base RFC compliant IKEv2 implementation?
How about IESG Approval or IETF Consensus? Or Specification Required
if critical = 0, IETF consensus otherwise?
> IKEv2 Transform Types Specification Required.
> IKEv2 Transform Attribute Types Specification Required.
>
> If we invent something other than authenticate, encrypt and compress,
> then I think it needs to be described well.
I think Specification Required is too weak for a 8 bit IKEv2 Transform
Type.
> IKEv2 Extended Sequence Numbers Transform IDs IETF Consenus.
>
> A new value here would require an "RFC2401bis"-bis. (128bit sequence
> numbers?)
Ok.
> IKEv2 Identification Payload ID Types Specification Required.
> IKEv2 Certificate Encodings Specification Required.
> IKEv2 Authentication Method Specification Required.
> IKEv2 Traffic Selector Types Specification Required.
Ok otherwise, but it looks like a new Traffic Selector Type would have
a major impact on RFC 2401 processing, or have I misunderstood something?
If so, IETF Consensus might be more appropriate?
> I think that new types should be explained, or it will be very hard to
> interop.
>
> IKEv2 Notification Payload Types First Come-First Served.
How about Specification Required? Is there a reason why we should not
document the notifications?
> Big wide space, with minimal impact on interop.
>
> IKEv2 Configuration Payload CFG Types Specification Required.
> IKEv2 Configuration Payload Attribute Types Specification Required.
>
> These remind me of the problems in PPP,radius,DHCP with having vendors too
> easily able to innovate (and become incompatible). Specification Required at
> least requires that there be a document that exaplain things. It shouldn't be
> too onerous, in my opinion. This could be watered down to "expert review".
Specification Required is fine for this, I think.
--Jari