[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Some (hopefully final) comments to thedraft-ietf-ipsec-ikev2-15.txt

To: ipsec@ietf.org
Subject: [Ipsec] Some (hopefully final) comments to thedraft-ietf-ipsec-ikev2-15.txt
From: Tero Kivinen <kivinen@iki.fi>
Date: Wed, 25 Aug 2004 12:17:03 +0300
Cc: angelos@cs.columbia.edu, tytso@mit.edu, byfraser@cisco.com, charliek@microsoft.com, housley@vigilsec.com, smb@research.att.com
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

I just finished reading the draft-ietf-ipsec-ikev2-15.txt completely
again. I found some small points, which probably can either be left as
they are or fixed during the authors 48 hours notice...

Perhaps the area directors can confirm whether we can fix those in
last edit phase, if not, then I think we can just leave the changes
out (the only real issue is the issue number 3 below, as it will
affect interoperability).

----------------------------------------------------------------------

1) Section 3.6 Certificate Payload refers X.509 certificates and CLRs
   as a BER encoded x.509 certificate / CRL. I think it should use DER
   instead of BER. Of course DER is a subset of BER, so all DER
   encoded objects are also BER encoded, but not other way around, and
   the certificates etc must always DER encoding, as it must be same
   regardless who encoded it.

   I have seen some LDAP servers who took DER encoded certificate, and
   re-encoded it using BER when sending it out, and that of course
   caused the signatures to fail etc.

so change

      X.509 Certificate - Signature (4) contains a BER encoded X.509
      certificate whose public key is used to validate the sender's AUTH
      payload.

      Certificate Revocation List (7) contains a BER encoded X.509
      certificate revocation list.

to

      X.509 Certificate - Signature (4) contains a DER encoded X.509
      certificate whose public key is used to validate the sender's AUTH
      payload.

      Certificate Revocation List (7) contains a DER encoded X.509
      certificate revocation list.


and 

      Hash and URL encodings (12-13) allow IKE messages to remain short
      by replacing long data structures with a 20 octet SHA-1 hash of
      the replaced value followed by a variable length URL that resolves
      to the BER encoded data structure itself. ...

to

      Hash and URL encodings (12-13) allow IKE messages to remain short
      by replacing long data structures with a 20 octet SHA-1 hash of
      the replaced value followed by a variable length URL that resolves
      to the DER encoded data structure itself. ...

----------------------------------------------------------------------

2) Section 3.7 Certificate Request Payload refers still in one place
   to CA name instead of the hash of the CA public key.

so change

   means. Thus the processing of a CERTREQ CA name should be seen as a
   suggestion for a certificate to select, not a mandated one. If no
   certificates exist then the CERTREQ is ignored. This is not an error

to

   means. Thus the processing of a CERTREQ should be seen as a
   suggestion for a certificate to select, not a mandated one. If no
   certificates exist then the CERTREQ is ignored. This is not an error

There is also extra " at the end of that paragraph, which can be
removed at the same time...

----------------------------------------------------------------------

3) Section 3.15.1 Configuration Attributes has a table listing which
   of the attributes are multivalued and which are not. The
   INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET are listed in the table
   as NO (i.e. not multivalued), but the describing text later says
   "The responder MAY respond with zero or more sub-network
   attributes.", which indicates that they should be multivalued.

   As it do make sense to send multiple subnets, I think the text is
   correct and the table is incorrect.

so change:

         INTERNAL_IP4_SUBNET     13    NO    0 or 8 octets
         SUPPORTED_ATTRIBUTES    14    NO    Multiple of 2
         INTERNAL_IP6_SUBNET     15    NO    17 octets

to

         INTERNAL_IP4_SUBNET     13    YES   0 or 8 octets
         SUPPORTED_ATTRIBUTES    14    NO    Multiple of 2
         INTERNAL_IP6_SUBNET     15    YES   17 octets

----------------------------------------------------------------------

4) RFC2401bis reference should have the draft name, as it would make
   rfc-editors life easier when finding the correct reference, and
   fixing it to match the rfc number.

so change:

   [RFC2401bis] Kent, S. and Atkinson, R., "Security Architecture
              for the Internet Protocol", un-issued Internet
              Draft, work in progress.

to

   [RFC2401bis] Kent, S. and Atkinson, R., "Security Architecture
              for the Internet Protocol", draft-ietf-ipsec-
	      rfc2401bis-02.txt, April 2004, work in progress.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Some (hopefully final) comments to thedraft-ietf-ipsec-ikev2-15.txt
  - From: Russ Housley <housley@vigilsec.com>

Prev by Date: [Ipsec] RE: Saving of one exchange in case of DOS attack
Next by Date: [Ipsec] Is AH + ESP required or needed in IKEv2
Previous by thread: [Ipsec] RE: Saving of one exchange in case of DOS attack
Next by thread: Re: [Ipsec] Some (hopefully final) comments to thedraft-ietf-ipsec-ikev2-15.txt
Index(es):
- Date
- Thread