Dear Dennis, > the next (05) revision of the Babel authentication I-D is available at: > http://tools.ietf.org/html/draft-ovsienko-babel-hmac-authentication-05
I had read a previous version of your draft, but I've now started a very careful read of -05, reading every single comma and picking as many nits as I can. Unfortunately, I've been interrupted at page 14 by other stuff (as in student exams and plumber visits). Since I won't have time before the week-end to resume my read, here's a summary of what I think right now. The document (or at least the first 14 pages) is beautifully written and very clear -- whenever I had a question, I found out it was answered immediately after it occurred to me. I have a number of minor rewordings to suggest to you, but they're really not that important. On the other hand, there is one point that I strongly disagree with (1), and one point that I don't understand (2). 1. In Section 3.1, you say that the default value of RxAuthRequired MUST be TRUE. I strongly disagree with that -- this requirement is going to be disregarded by most implementations if you keep it a MUST. I think that the default value SHOULD be TRUE if there are any CSAs configured, and FALSE otherwise. I'm pretty sure about the SHOULD -- there are perfectly legitimate reasons to sign the packets you send but promiscuously accept any packets you hear. 2. In Section 2.1, you specify two distinct hash algorithms as mandatory-to-implement: RIPEMD-160 and SHA-1. Not being a crypto specialist myself, I would have expected just one mandatory-to-implement algorithm. I'd appreciate it if you could clarify why you need two. Thanks again for your work, -- Juliusz _______________________________________________ Babel-users mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users
