At 5:24 PM +0300 4/14/10, Tero Kivinen wrote: >In the section 1.2 the text > > The recipients of messages 3 and 4 MUST verify that all signatures > and MACs are computed correctly. > >was changed to > > Both parties in the IKE_SA_INIT exchange MUST verify that all > signatures and MACs are computed correctly. > >which is wrong, as IKE_SA_INIT is messages 1 and 2, IKE_AUTH is the >messages 3 and 4. IKE_SA_INIT messages do not have signatures or MACs.
Good catch: fixed in -10. >---------------------------------------------------------------------- >In the section 2.23 the following text was removed: > >"UDP encapsulation MUST NOT be done on port 500." > >I think that text should still be there. Agree. > >Also you removed mandatory requirement for listening port 4500 if >NAT-T is supported. So I would add the first bullet back. I do not >understand why it this was removed: > > o IKE MUST listen on port 4500 as well as port 500. IKE MUST > respond to the IP address and port from which packets arrived. > >Yes, the last part is explained multiple time, but it is especially >important for NAT-T case, which makes it worth of repeating in this >requirement list. This was removed because it appears in a list that is preceded with "In this section only, requirements listed as MUST apply only to implementations supporting NAT traversal." As you say, it also applies even if NAT traversal is not supported. >---------------------------------------------------------------------- >In section 2.25 there is typo: > >s/REYEY_SA/REKEY_SA/ Done. >---------------------------------------------------------------------- >In section 3.3.1 the -09 version says: > >"the SPI is obtained from the outer IP header." > >which is completely wrong. IP header does not have SPI field, the IKE >header has SPI field. Remove the offending "IP" which was added in >last version. Done. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
