[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AD review of draft-ietf-shim6-proto -- sections 15 through the end



Continuing with the review. This goes right to the end,
and I have set the state of the document to Revised ID
Needed. I will still send some summary conclusions
after thinking about the results of the review. But
overall I'm relatively happy, almost everything that
I found was just minor issues. Its a tough document
to read given its size, but very well written and
there was a very small number of obvious problems.

Substantial:

>    The Shim6 sub-layer is implemented below the IPSec layer within the
>    IP layer.  This deserves some additional considerations for a couple
>    of specific cases: First, it should be noted that the Shim6 approach
>    does not preclude using IPSEC tunnels on Shim6 packets within the
>    network transit path.  Second, in case that IPSec is implemented as
>    Bump-In-The-Wire (BITW) [7], either the shim MUST be disabled, or the
>    shim MUST also be implemented as Bump-In-The-Wire, in order to
>    satisfy the requirement that IPsec is layered above the shim.

Presumably the BITW implementation could also itself
filter out Shim6 control packets, in which case the
shim is never turned on.

>    o  An attacker which is present on the path so that it can find out
>       the context tags, can generate a R1bis message after it has moved
>       off the path.  For this packet to be effective it needs to have a
>       source locator which belongs to the context,

Really? What if CGA is used, must the R1bis even then come from a
previously known address?

Editorial:

> In this case, it reccomended that the
...
>    Shim6 follows the reccomendation defined in [28] and it informs the

Typos.

> in order to allow the congestion
> control mechanisms of the upper layers can react accordingly.

s/can/to/

>    The Shim6 sub-layer is implemented below the IPSec layer within the
>    IP layer.  This deserves some additional considerations for a couple
>    of specific cases: First, it should be noted that the Shim6 approach
>    does not preclude using IPSEC tunnels on Shim6 packets within the

Different capitalizations of IPsec, none correct.

Jari