[IPsec] Shepherd write up review for draft-ietf-ipsecme-labeled-ipsec

Thu, 09 Feb 2023 12:24:35 -0800 

I already send some comments, but now when I am checking the modified
draft I found some other nits, that might need to be fixed at some
point (I will still put the document forward today, authors can fix
those later when they have time, or when they have other comments
during the IETF last call etc).

In section 2.2 we have text:

   If the Security Label traffic selector is optional from a
   configuration point of view, an initiator will add the TS_SECLABEL to
   the TSi/TSr Payloads.  If the responder replies with TSi/TSr Payloads
   that include the TS_SECLABEL, than the Child SA MUST be created
   including the negotiated Security Label.  If the responder did not
   include a TS_SECLABEL in its response, then the initiator (with
   deemed the Security Label optional) will install the Child SA without
   including any Security Label.  If the initiator required the
   TS_SECLABEL, it MUST not install the Child SA and it MUST send a
   Delete notification for the Child SA so the responder can uninstall
   its Child SA.

and in section 3 we have text:

   If a TS_SECLABLE is deemed optional, the initiator SHOULD first try
   to negotiate the Child SA with the TS payload including the optional
   TS_SECLABEL.  If such a negotiation results in receiving a
   TS_UNACCEPTABLE Error Notify, it SHOULD attempt a new Child SA
   negotiation using the same TS but without the optional TS_SECLABEL.

which do not match. I suggest just removing the section 3 text, as
this is already explained in the section 2.2. Or perhaps moving the
text from section 2.2 to section 3, replacing that old section 3
paragraph with the text moved from section 2.2.

In the section 3.1 it would be nice to use properly formatted
IP-addresses. Now it looks that you are negotiating some 24-bit
FC-addresses, as your ip-addresse only has 3-bytes in them:

         TSi = ((17,24233,198.51.12-198.51.12),
                (17,0,192.0.2.0-192.0.2.255),
                (0,0,198.51.0-198.51.255),
                TS_SECLABEL1, TS_SECLABEL2)

and
         TSi = ((0,0,198.51.0-198.51.255),
                TS_SECLABEL1)

Replace 198.5.12 with something like 198.5.0.12 and 192.51.0 with
192.51.0.0 and 192.51.255 with 192.51.0.255 or something... There is
also one 192.51.0/24 in Section 3.2 that should be changed to
192.51.0.0/24.
-- 
[email protected]

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to