Hi Sean, Thank you for your questions and comments. Please see below.
> #1. > The incentive of the draft is to provide a alternate way to negotiate > esp > sa, it will be helpful if more merits of this new approach can be discussed, > especially compared with IKEv2. [Dong] Ok, I will consider it and add this part in the following version. > #2. > I noticed that IKE and IKEv2 were used alternately in the draft, and > some > sentense like "CGA-SA MAY be used in all the scenarios where IKE is > available. The usage scenarios of IKE are stated in [RFC4306]." is > confusing. It will be good if you clarify which one you are talking > about or both. [Dong] Yes, this problem will be revised. > > #3 > The draft did not tell what contents will be protected by CGA signature. > Also I go to check section 3.3 (CGA Signature) of > draft-dong-savi-cga-header-01, I did not find the signature coverage > either. > Maybe I missed something? [Dong] Hmm, in the draft, there is no statement about this question. IMHO, signature coverage may be the hole packet. Is that ok? > #4 > I notice that Cert is optional in message exchange since they are in > brackets. Does it mean that Certs are not REQUIRED in your trust > model? > When [CERT] is carried, is it the chain of all certificates on trust > path or > just a single Cert? > Also I did not see which option will carry Cert. [Dong] Yes, the CERT is not required in my approach. I just intend to put it here for future use. But how to use the CERT may need further consideration. > > #5 > What if the message size exceed IPv6 MTU? For example, when carrying > certificate. [Dong] The CERT is a reservation temporarily. Then I feel that this problem could not be a big deal. Right? Thanks. Best Regards. Dong Zhang Huaweisymantec Technologies Co., Ltd _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
