I think this document is in very good shape, and almost ready.
The two areas where I think some more discussion may be needed are
interoperability between IoT and "real" VPNs, and the migration to the
RFC 7427 Digital Signature solution. See detailed comments below.
1.2: "an algorithm will be set to MAY", replace by "an algorithm will be
denoted here as MAY".
1.2, last paragraph: I suggest to clarify what we mean by interop with
IoT, so that we do not fragment IKE2 between the IoT and non-IoT worlds.
Something like: "Requirement levels that are marked as "IoT" apply to
IoT devices and to server-side implementations that might presumably
need to interoperate with them, including any general-purpose VPN
gateways." Maybe we should clarify it more by defining an IoT Context
and adding separate lines to some of the tables for IoT vs. non-IoT Context.
3.3: AUTH_DES_MAC - the last sentence doesn't apply to it, so the
paragraph needs to be rearranged.
4.1: have we considered making "Digital Signature" (#14) a SHOULD+
instead of a SHOULD?
4.2: aren't we trying to move the world to the generic "Digital
Signature", even if they're still using old certs? If we are, then
(gasp) PKCS1 v1.5 needs to be SHOULD. And the table should mention
sha256WithRSAEncryption.
Thanks,
Yaron
On 04/08/2016 09:09 PM, Paul Hoffman wrote:
Greetings. As discussed on the list for the past few weeks, and in the
face-to-face meeting in Buenos Aires (which, for many of us, seems to
translate to "too much beef"), draft-ietf-ipsecme-rfc4307bis is ready
for WG Last Call. We would like everyone to review it carefully, given
that there have been some significant changes over the past few months.
This WG Last Call will end on April 22. It would be grand if everyone on
this list would read the draft as if it was brand new and respond on the
list with any problems, any questions, or even just "it is ready to
progress as-is". Extra points are given for reviewers who don't wait
until the last minute.
--Paul Hoffman and Dave Waltermire
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
