[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IPSECKEY] new draft -08



-----BEGIN PGP SIGNED MESSAGE-----


Hi, I posted my comments on Wednesday.
They are at:
     http://www.sandelman.ottawa.on.ca/lists/html/ipseckey/msg00390.html
     http://www.sandelman.ottawa.on.ca/lists/html/ipseckey/msg00391.html

I had to get the newest XML RFC bibliography to be able to format with
the suggested updates to various RFCs. (They really are new)

I would appreciate some feedback on this.
  http://www.sandelman.ca/SSW/ietf/ipsec/key/ has the -08 draft.

Repeat of questions:

    IESG> say "unsigned"? also, why not just specify the semantics of the
    IESG> preference here, rather than pointing to a (rather unrelated) MX
    IESG> record RR? Hunting for the MX text in another document seems
    IESG> suboptimal (and results in an odd normative reference).

  Chairs? Copy and paste from 1035?
  We already reference 1035 for other reasons.

    IESG> >    Gateways listed in IPSECKEY records with  lower precedence are
    IESG> >    to be 
    IESG> >    attempted first.  Where there is a tie in precedence, the order
    IESG> >    should be non-deterministic.
    IESG>
    IESG> Note: the above text seems out of place, given the previous paragraph
    IESG> which just points to MX. Can't you just specify the behavior here (in
    IESG> its entirety) and remove the normative dependency?

  We could do that. Chairs?

    IESG> Bert Wijnen:

    IESG> Bigger issue:
    IESG>
    IESG> - The examples use the reverse DNS records to convey IPSECKEY record.
    IESG> Does this have some unstated assumptions about the deployment of
    IESG> IPSECKEY (e.g., to be usable, the participating nodes should record
    IESG> the RRs in reverse records), or is this just a coincidence?
    IESG> I note that the document does not discuss the deployment at all, but
    IESG> that is probably intentional.
    IESG> 
    IESG> If there is no connection to the reverse records, I'd suggest
    IESG> rewording at least 3 of the 5 examples to use e.g. "nodeX.example.com
    IESG> IN IPSECKEY ..."; if there is a requirement for reverse records, this
    IESG> issue needs to be explicitly discussed.. DNS deployment folks might
    IESG> have something to say about that :-)

  Chairs. Reverse is clearly in scope here.
  Can you discuss with Bert?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP94WdYqHRg3pndX9AQFTuQP/cdslnnRDy0Pz++oR2F7rwTs9BPRTcwVL
GF98nnR/k5y4dBbFeXXxB0LbOB529ZEeApiAUT7jFzinABZB6kbBRPAiGJF+iH+t
RRCm/8RK+dBwFf03RuZoi3c64UivnivBVN5q7fqfDjG698KDWLoYn9EjERscn9N2
FFSJMBmtoRA=
=jvH1
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.