Re: [IPsec] Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

Wed, 10 Aug 2022 04:32:27 -0700 

Goedendag Paul, ;-)

Thank you for your reply, Valery has also replied to my comments (and I agree 
with Valery's reply).

Have a look below for EV>

Regards

-éric



On 10/08/2022, 02:40, "Paul Wouters" <p...@nohats.ca> wrote:

    On Tue, 9 Aug 2022, Éric Vyncke via Datatracker wrote:

    > ### Section 3 No AH
    >
    > Even if AH is nearly no more used, I wonder whether there is a reason why 
AH is
    > not supported by this I-D.

    Because we dont wants it :)

EV> I can understand ;-)

    RFC 3948 also only defines ESPinUDP and not AHinUDP.

EV> ack, it does make sense that this I-D does not cover it

    > ### Section 3
    >
    > ```
    >   Although a TCP stream may be able to send very long messages,
    >   implementations SHOULD limit message lengths to typical UDP datagram
    >   ESP payload lengths.
    > ```
    >
    > What is the 'typical' length ?

    slightly under 1500?

EV> or 1280 for IPv6 ? Valery has suggested good text because 'typical' means 
nothing

    > ### Section 5.1
    >
    > `Since UDP is the preferred method of transport for IKE messages,` hem...
    > previous text (and common sense) stated that direct is the preferred 
method.

    Direct is UDP, as UDP is the native IKE transport.

EV> shame on me...

    > ### Section 6.1 what about IP address changes ?
    >
    > ```
    >   Since new TCP connections
    >   may use different ports due to NAT mappings or local port allocations
    >   changing, the TCP Responder MUST allow packets for existing SAs to be
    >   received from new source ports.
    > ```
    > For some NAT devices (or IPv6 nodes w/o NAT but with temporary 
addresses), the
    > IP address could also change. This document should describe what to do in 
this
    > case.

    The IP address cannot just change mid-stream for TCP as it can for UDP.
    It would have to be a new TCP stream and those cases are described in
    the document.

    > Please add that the DF bit is obvioulsy only for IPv4 (Hi, Tommy, I had to
    > insert my mandatory IPv6-related comment ;-) )

    :) Perhaps we can add a comment about NAT for IPv6 not being implemented
    in Linux (or did they finally do it? :)

EV> __ how do you dare ! 
EV> more seriously, Valery's new text is good for me

    Left other items to the actual authors :)

EV> always nice to see an AD interested deeply in an I-D

    Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to