[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Proposed Last Call based revisions to IKEv2

To: "Charlie Kaufman" <charliek@microsoft.com>, <ipsec@ietf.org>
Subject: Re: [Ipsec] Proposed Last Call based revisions to IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Mon, 17 May 2004 10:36:21 -0700
Cc: Russ Housley <housley@vigilsec.com>
In-reply-to: <F5F4EC6358916448A81370AF56F211A502C25FE5@RED-MSG-51.redmond.corp.microsoft.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <F5F4EC6358916448A81370AF56F211A502C25FE5@RED-MSG-51.redmond.corp.microsoft.com>
Sender: ipsec-admin@ietf.org

At 10:50 PM -0700 5/15/04, Charlie Kaufman wrote:
>Issue #96, 98

Charlie has proposed changes to align with the fragmentation 
description in rfc2401bis. I have a different proposition, one that I 
think the WG may like even better than the one Charlie gave while 
still achieving the same goal of giving rfc2401bis what it needs.

One of the huge problems with IKEv1/2401 is that the specification 
for how to do things is spread among multiple RFCs. We have cleaned 
that up to a huge extent in IKEv2/2401bis. However, what Charlie 
suggests here creates the split again; I think we can nip that in the 
bud.

What I propose is that Charlie only change the following in IKEv2:

- In 3.10, add an entry under status-type notify messages:

    NON-FIRST-FRAGMENTS-ALSO                  16395

    Used for fragmentation control. See [RFC2401bis] for explanation.

- In 3.13.1, eliminate "or port is OPAQUE" in both Start Port and End 
Port descriptions.

- In 3.13.1, just before the text paragraph that starts "The 
following table lists...", add the following paragraph.

    Systems that are complying with [RFC2401bis] that wish to indicate
    "ANY" ports MUST set the start port to 0 and the end port to 65535;
    note that according to [RFC2401bis], "ANY" includes "OPAQUE". Systems
    working with [RFC2401bis] that wish to indicate "OPAQUE" ports, but
    not "ANY" ports, MUST set the start port to 65535 and the end port
    to 0.

This way, the IKEv2 document is not specifying any semantics for 
fragmentation handling, and there is no possibility of disagreement 
with 2401bis. It also separates out the semantics of OPAQUE and ANY 
in a way to make it clear that these are 2401bis constructs, not 
IKEv2 constructs.

One concern with using Charlie's text is that it would likely cause 
the need for another WG Last Call and another IETF Last Call. I 
believe the above changes could avoid that because the revisions do 
not specify any new semantics. (Russ, does that sound correct to you?)

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Proposed Last Call based revisions to IKEv2
  - From: "Charlie Kaufman" <charliek@microsoft.com>

Prev by Date: Re: [Ipsec] FW: Remaining issues for IKEv2
Next by Date: Re: [Ipsec] FW: Remaining issues for IKEv2
Previous by thread: [Ipsec] Proposed Last Call based revisions to IKEv2
Next by thread: RE: [Ipsec] Proposed Last Call based revisions to IKEv2
Index(es):
- Date
- Thread