On Mon, 2010-08-02 at 09:36 -0400, Paul Moore wrote: > On Mon, 2010-08-02 at 08:18 -0400, David P. Quigley wrote: > > On Fri, 2010-07-30 at 16:49 -0400, Paul Moore wrote: > > > On Wed, 2010-07-28 at 00:30 -0700, jarrett...@oracle.com wrote: > > > > A new 00 version of IKEv2 extension for security label has just been > > > > published: > > > > > > > > http://tools.ietf.org/html/draft-jml-ipsec-ikev2-security-label-00 > > > > > > > > Authors welcome comments from IPsec community. > > > > > > Having just read the draft I think it is a bit difficult to perform any > > > in-depth review without the LFS document (which is described as a work > > > in progress); there just isn't any real substance in this draft in my > > > opinion. > > > > What sort of substance are you looking for? The whole point of the LFS > > document was that we could abstract the actual semantics and format of > > labeling away and focus on the actual protocol instead. The Labeled > > IPSec document should be able to be looked at without having to do so in > > the context of a specific label type. > > Basically I'm looking for the kind of substance that one could use to > implement the protocol; reading this draft I just don't have that > information. Perhaps the best example is in section 4.1, "Attribute > Negotiation"; there is only some very vague text about failing > negotiations if the label format is unrecognized, no concrete details > about how to deal with recognized label formats with invalid and/or > unauthorized labels. I could go on, but hopefully this is enough to > demonstrate my point.
The point of bringing this to the list for discussion is for issue like this to come to the surface so I would ask that you give an extensive list of comments. Handling unauthorized labels has nothing to do with the LFS work so it is definitely something worth bringing to light. Now the question is that kind of information would be something traditionally given in the Security Architecture document. When I was talking with Paul Hoffman about the Labeled IPSec document he said that we should remove information that is traditionally associated with the SA document as his assertion was if you're using security labels you already know how to use them. He was of the belief that this document should just be the protocol information and security labels and their usage are not important for this document. Dave _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
