[IPsec] CORRECTION: One last review: draft-ietf-ipsecme-ikev2bis

Wed, 14 Apr 2010 07:25:43 -0700 

Paul Hoffman writes:
> I have revised the IKEv2bis draft with the IETF Last Call comments.
> It is available at
> <http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-09>. The
> diff is at
> <http://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-ikev2bis-09.txt>. 
> 
> This is the WG's final chance for review before this is sent to the
> IESG for their approval. Yaron will ask our new AD, Sean Turner, to
> send the document to the IESG sometime early next week, so please do
> a final check NOW to see whether there are any mistakes introduced
> in the -09. Thanks! 

In the section 1.2 the text

   The recipients of messages 3 and 4 MUST verify that all signatures
   and MACs are computed correctly.

was changed to

   Both parties in the IKE_SA_INIT exchange MUST verify that all
   signatures and MACs are computed correctly.

which is wrong, as IKE_SA_INIT is messages 1 and 2, IKE_AUTH is the
messages 3 and 4. IKE_SA_INIT messages do not have signatures or MACs.

----------------------------------------------------------------------
In the section 2.23 the following text was removed:

"UDP encapsulation MUST NOT be done on port 500."

I think that text should still be there.

Also you removed mandatory requirement for listening port 4500 if
NAT-T is supported. So I would add the first bullet back. I do not
understand why it this was removed:

   o  IKE MUST listen on port 4500 as well as port 500.  IKE MUST
      respond to the IP address and port from which packets arrived.

Yes, the last part is explained multiple time, but it is especially
important for NAT-T case, which makes it worth of repeating in this
requirement list. 
----------------------------------------------------------------------
In section 2.25 there is typo:

s/REYEY_SA/REKEY_SA/

----------------------------------------------------------------------
In section 3.3.1 the -09 version says:

"the SPI is obtained from the outer IP header."

which is completely wrong. IP header does not have SPI field, the IKE
header has SPI field. Remove the offending "IP" which was added in
last version.
-- 
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to