Yoav Nir writes: > Issue #168 - Identifier field in the EAP payload > ================================================ > No discussion so far. I would just remove that sentence, because EAP > is specified in its own RFC, and we don't need to really specify > what goes in any of the fields. I would stay with the following: > o Identifier (1 octet) is used in PPP to distinguish replayed > messages from repeated ones. Since in IKE, EAP runs over a > reliable protocol, it serves no function here. In a response > message, this octet MUST be set to match the identifier in the > corresponding request. > > Anyone think differently?
That change is fine for me. > Issue #169 - Clarify what is "overrun" vulnerability > ==================================================== > 5: what do we mean by "leaves all SAs vulnerable to ... overrun of > either endpoint"? > > No discussion so far. The offending paragraph is this: > Repeated rekeying using CREATE_CHILD_SA without additional Diffie- > Hellman exchanges leaves all SAs vulnerable to cryptanalysis of a > single key or overrun of either endpoint. Implementers should take > note of this fact and set a limit on CREATE_CHILD_SA exchanges > between exponentiations. This document does not prescribe such a > limit. > > I agree that this is not very clear. Perhaps this is about > overrunning the message counter of IKE? Anyway, I would just drop > the "or overrun of either endpoint" bit. I agree on that, I do not know what the overrun is supposed to mean here, so removing it is fine for me. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec