[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-mobileip-ipv6-21.txt
This already has a ballot, and it was started before I became a member of
the IESG. However, I have a few comments.
Comments:
Please spell out the first use of FQDN.
In section 3.1, the definition of "unicast routable address" uses the
term "site-local scope." I thought we deprecated this concept. Also, can
we simply delete section 4.6?
In section 3.1, the definition of "security association" is
consistent with RFC 2401, but I find the use of "connection" (in quotes)
misleading in this context. I prefer:
An IPsec security association is a cooperative relationship
formed by the sharing of cryptographic keying material and
associated context. Security associations are simplex.
That is, two security associations are needed to protect
bidirectional traffic between two nodes, one for each
direction.
In section 5.1 and section 5.4 say that the Encapsulating Security
Payload (ESP) protocol SHOLD be used. To ensure that interoperable
configurations emerge, I would prefer to see ESP as a mandatory to
implement. This seems consistent with the requirements for ESP in section 8.
In section 5.2.5, the procedure for generating Kbm is described as:
Kbm = SHA1 (home keygen token | care-of keygen token)
or:
Kbm = SHA1(home keygen token)
The text is clear about when each formula applies. Each of the tokens is
64 bits, and the Kbm value is 20 octets. The input values are not
secrets. There is some discussion about the amount of traffic that would
be need to spoof these messages in the Security Considerations, but it
assumes that the token values are unknown.