Here's a quick review of the numerous changes between -08 and -09. Let's
get these things resolved and move the doc to the IESG.
* I'm a bit uneasy with the use of "Notify error message" instead
of the simpler (and admittedly a bit vague) "notification".
After all, these are not messages!
* 2.4: For the sake of editing you eliminated a MUST NOT, I
suggest to put it back. The original text had: "An
implementation MUST NOT continue sending on any SA if some
failure prevents it from receiving on all the associated SAs".
* "Two expected attacks", but then "this attack" in the following
sentence. I think -08 had it right, and this should be singular.
Also, the word "if" slipped from the 2nd sentence.
* "The preferred key size MUST be used as the length of SK_d,
SK_pi, and SK_pr" - this is a new MUST, are we all happy with
it?
* 2.21.2: "Extension documents may define new error notifications
with these semantics, but MUST NOT use them unless the peer has
been shown to understand them using the Vendor ID payload." The
VID payload is one possibility, but there may be others (e.g. an
earlier status notification). So I suggest to add "e.g. using
the Vendor ID payload".
* This text was removed from 2.23: "IKE MUST respond to the IP
address and port from which packets arrived". Is this
requirement covered elsewhere?
* If you insist on changing NATs to NAT's in 2.23.1, you should
make it NATs'.
* In Sec. 4, I don't think we want to say "these are some of the
features that can be omitted", implying that there are more. Why
not "these are features"?
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
