Hi!
I performed a AD review of draft-ietf-ipsecme-rfc8229bis-05. Thanks for
revising RFC8229 with this new guidance. Comments are below:
** The abstract notes that many of the document updates came from deployment
experience. I'm hoping to incorporate that feedback on a particular issue.
There are a number places in this document where qualitative recommendations
are made about various network stack timers. Can quantitative recommendations
be made in any of the following:
-- Section 7.1 "If the TCP connection is no more associated with any active
IKE SA, the TCP Responder MAY close the connection to clean up resources if TCP
Originator didn't close it within some reasonable period of time."
-- Section 7.4. "In particular, it is advised that the Initiator should not act
immediately after receiving error notification and should instead wait some
time for valid response, ..."
-- Section 8.1. "If no response is received within a certain period of time
after several retransmissions ..."
-- Section 8.4. "For the client, the cluster failover event may remain
undetected for long time if it has no IKE or ESP traffic to send. "
-- Section 8.4. "if support for High Availability in IKEv2 is negotiated and
TCP transport is used, a client that is a TCP Originator SHOULD periodically
send IKEv2 messages (e.g. by initiating liveness check exchange) whenever there
is no IKEv2 or ESP traffic."
The only place I found quantitative guidance was in Section 7.3.1.
** Section 6.1. Editorial. s/with new Initiators's SPI/with the Initiator's
new SPI/
** Section 7.1 Editorial.
OLD
If the TCP connection is no more
associated
NEW
If the TCP connection is no longer associated
** Section 7.3 Should something be said about the utility of mixing both SYN
Cookies and IKEv2 Cookies?
** Section 7.3
* the exchange Responder SHOULD NOT request a Cookie, with the
exception of Puzzles or in rare cases like preventing TCP Sequence
Number attacks.
I'm having trouble following this guidance. Is this saying "you SHOULD NOT
send IKEv2 Cookies without Puzzles?". If so, is this the intent:
The exchange Responder SHOULD NOT request a IKEv2 Cookie without a Puzzle,
unless mitigation against only TCP Sequence Number attacks is desired?
** Section 7.3. Typo. s/change change/change/
** Section 7.6
... TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520]
may be used
Should this be "... MAY be used"?
** Section 7.7. Editorial. s/Besides, TCP encapsulation/TCP encapsulation/
** Section 8.3. Typo. s/incative/inactive/
** Section 8.4.
This document makes the following recommendation: if support for High
Availability in IKEv2 is negotiated and TCP transport is used, a
client that is a TCP Originator SHOULD periodically send IKEv2
messages (e.g. by initiating liveness check exchange) whenever there
is no IKEv2 or ESP traffic. This differs from the recommendations
given in Section 2.4 of [RFC7296] in the following: the liveness
check should be periodically performed even if the client has nothing
to send over ESP. The frequency of sending such messages should be
high enough to allow quick detection and restoring of broken TCP
connection.
-- Due to the change in behavior being suggested to RFC7296, did the WG discuss
this document formally updating it (RFC7296)?
-- Consider using a more precise term that "TCP Originator"
** Appendix A. Would there be a reason not to reference a recommended
conformance to RFC7525 or draft-ietf-uta-rfc7525bis for TLS connections?
Regards,
Roman
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
