Hi, Zhang Dong, I read draft-dong-esp-sa-cga-00 and find it gives a interesting idea. I have a few questions and comments: #1. The incentive of the draft is to provide a alternate way to negotiate esp sa, it will be helpful if more merits of this new approach can be discussed, especially compared with IKEv2. #2. I noticed that IKE and IKEv2 were used alternately in the draft, and some sentense like "CGA-SA MAY be used in all the scenarios where IKE is available. The usage scenarios of IKE are stated in [RFC4306]." is confusing. It will be good if you clarify which one you are talking about or both. #3 The draft did not tell what contents will be protected by CGA signature. Also I go to check section 3.3 (CGA Signature) of draft-dong-savi-cga-header-01, I did not find the signature coverage either. Maybe I missed something?
#4 I notice that Cert is optional in message exchange since they are in brackets. Does it mean that Certs are not REQUIRED in your trust model? When [CERT] is carried, is it the chain of all certificates on trust path or just a single Cert? Also I did not see which option will carry Cert. #5 What if the message size exceed IPv6 MTU? For example, when carrying certificate. Best, Sean
_______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
