Hi, Zhang Dong, Please check in lines: > > #1. > > The incentive of the draft is to provide a alternate way > to negotiate > > esp sa, it will be helpful if more merits of this new > approach can be > > discussed, especially compared with IKEv2. > [Dong] Ok, I will consider it and add this part in the > following version. > > > #2. > > I noticed that IKE and IKEv2 were used alternately in the > draft, and > > some sentense like "CGA-SA MAY be used in all the > scenarios where IKE > > is available. The usage scenarios of IKE are stated in > [RFC4306]." is > > confusing. It will be good if you clarify which one you are talking > > about or both. > [Dong] Yes, this problem will be revised. > > > > > #3 > > The draft did not tell what contents will be protected by > CGA signature. > > Also I go to check section 3.3 (CGA Signature) of > > draft-dong-savi-cga-header-01, I did not find the signature > coverage > > either. > > Maybe I missed something? > [Dong] Hmm, in the draft, there is no statement about this > question. IMHO, signature coverage may be the hole packet. Is that ok? [Sean] Depend on what you want to protoect and different scenarios, for a end-to-end scenario (which I imagin is what's this proposal might be good at), you may want to make sure to leave out fields which could be modified during transportation.
> > #4 > > I notice that Cert is optional in message exchange since > they are in > > brackets. Does it mean that Certs are not REQUIRED in your trust > > model? > > When [CERT] is carried, is it the chain of all > certificates on trust > > path or just a single Cert? > > Also I did not see which option will carry Cert. > [Dong] Yes, the CERT is not required in my approach. I just > intend to put it here for future use. But how to use the CERT > may need further consideration. [Sean] I see, I understand this is a initial version and there will be more updates. Since CGA's pub/priv keys are the only authentication choice for this SA negotiation mechanism, whether CERT is required in the trust model should be carefully considered and discussed. > > #5 > > What if the message size exceed IPv6 MTU? For example, > when carrying > > certificate. > [Dong] The CERT is a reservation temporarily. Then I feel > that this problem could not be a big deal. Right? [Sean] If CERT is required in message "I" and "R", MTU should be addressed. Of course, there should be ways to mitigate the problem, for example, use "hash and url" format. Best, Sean _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
