[IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04

Wed, 25 Oct 2023 16:57:31 -0700 

Hi!

I performed an AD review of draft-ietf-ipsecme-ikev2-auth-announce-04.  Thanks 
for the work on this document.  I have the following feedback:


** Section 3.1
If the initiator is configured to use Extensible Authentication Protocol (EAP) 
for authentication in IKEv2 (see Section 2.16 of [RFC7296]), then it SHOULD NOT 
send the SUPPORTED_AUTH_METHODS notification.

-- Since SHOULD NOT vs. MUST NOT is used, under what circumstances would it be 
appropriate to use EAP + SUPPORTED_AUTH_METHODS?

** Section 3.2

If more authentication methods are defined in future, the corresponding 
documents must describe the semantics of the announcements for these methods.

-- Should this be a s/must/MUST?

** Section 3.2
The blob always starts with an octet containing the length of the blob followed 
by an octet containing the authentication method. Authentication methods are 
represented as values from the "IKEv2 Authentication Method" registry defined 
in [IKEV2-IANA].

-- The reference in [IKEV2-IANA] is incorrect.  It should be pointing to 
Parameter 12.

OLD
[IKEV2-IANA]
    IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters", 
<http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-7>.

NEW
[IKEV2-IANA]  IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters",
<https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12>

** Section 3.2.3.  Please provide a normative reference DER.  I believe it is:

   [X.690]    ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
              Information technology - ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER).

** Section 5.  Please add the Security Considerations of the specifically 
negotiated auth methods apply.

** Section 6.  The “Notify Message Types - Status Types” registry has three 
fields.  Please formally say that this document should be the reference.

Thanks,
Roman
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to