Sorry for the delay. I believe the draft is in good shape, but I do have some comments.
1. ESN is mentioned as optional for IKEv1 and included in IKEv2. It is not mentioned that this is an optional feature for IPsec (both old and new) 2. Section 4.2.1 describes RFC 4478 (authentication lifetime). It says "This document defines a new informational message that...". Instead it should say "This document defines a new status notification, that...". Also, after "unless the initiator re-authenticates" I would add "within a specified period of time". 3. Section 5.6 describes cryptographic suites documents (RFC 4308 and 4869), including the algorithms these documents specify (encryption, data integrity and DH group). It does not mention the not-so-obvious fact that RFC 4869 also requires the use of ECDSA for public keys used for authentication (if public keys are used), whereas 4308 makes no such requirement. 4. Section 8.7 describes RoHC RFCs that relate to IPsec. I think it should also mention the soon-to-be-published drafts about compressing IPsec traffic: - draft-ietf-rohc-ipsec-extensions-hcoipsec - draft-ietf-rohc-ikev2-extensions-hcoipsec - draft-ietf-rohc-hcoipsec In addition to these, a few nits: 1. The document capitalizes the name of the WG as IPsecme. I think we like using IPsecME, no? 2. The descriptions of RFC 3947 and RFC 3948 are oddly placed. Both are in section 3 (IPsec) although 3947 is about IKE, and yet they are separated rather than following one another. I think that either 3947 should be moved to section 4 (IKE) or that they should be moved together. 3. RFCs 3947 and 4304 (ESN) are in section 3 (IPsec) but are more appropriate for section 4 (IKE) 4. Section 4.2.3 describes dead peer detection. It should mention that RFC 4306 (and the bis) call this feature "liveness check". Email secured by Check Point _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
