Somewhat substantial:
- Section 3.13.1: the paragraph about Mobility Header is very
confusing; suggested rephrasing:
Traffic selectors can use IP Protocol ID 135 to match the IPv6
mobility header [MIPV6]. As specified in [IPSECARCH], the IPv6
mobility header (MH) message type is placed in the most significant
eight bits of the 16-bit local port selector. The direction
semantics of TSi/TSr port fields are the same as for ICMP.
- Section 3.*: should we omit the UNSPECIFIED values? They don't
really help the reader here...
- Overall: The document uses 192.0.1.0/24 in examples (in addition to
the official 192.0.2.0/24 documentation block). Back in RFC 4306/4718
times, we didn't have much of a choice, but now
draft-iana-ipv4-examples (already approved) provides two additional
blocks. Suggest replacing "192.0.1" -> "198.51.100" .
- Appendix C.5: brackets should be removed from [KEi]/[KEr]
- Section 1.7, suggest mentioning the new notifications explicitly;
i.e. rephrase the last paragraph
"Section 2.25 was added to explain how to act when there are timing
collisions when deleting and/or rekeying SAs, and two new error
notifications (TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND) were
defined."
- Section 1.7: suggest adding
"This document requires doing a Diffie-Hellman exchange when
rekeying the IKE_SA. In theory, RFC 4306 allowed a policy where
the Diffie-Hellman exchange was optional, this was not useful (or
appropriate) when rekeying the IKE_SA.
Editorial suggestions:
- Section 3.1: "The bits are defined LSB first, so bit 0 would be the
least significant bit of the Flags octet." This seems to be exactly
the opposite of the bit numbering used in the figure above, which
sounds confusing. Instead of using numbers, we should just show a
diagram?
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
|X X|R|V|I|X X X|
+-+-+-+-+-+-+-+-+
- Section 3.1, the text about critical bit should have a pointer to
Section 2.5.
- Section 3.3.6: suggest removing the last paragraph (the
INVALID_KE_PAYLOAD case is already well described in 1.2 and 2.7),
and there's no need to repeat it here.
- Section 3.4, 2nd-to-last paragraph: suggest adding pointer to
Sections 1.2 and 2.7.
- Section 3.10.1: there's one "{{ Demoted the SHOULD }}" that
should be removed.
- Section 3.10.1: the list should contain CHILD_SA_NOT_FOUND
and TEMPORARY_FAILURE.
- Section 3.15.1: the table column header should be "Multi-Valued"
(like it is in RFC 4306) instead of "Valued"
- Section 3.5: "MUST not" -> "MUST NOT" (twice)
- Section 1.6: the spelling in the 2nd paragraph isn't exactly
what RFC 2119 has (and this causes idnits to complain).
- From idnits: Duplicate reference: RFC4291, mentioned in 'IPV6ADDR',
was also mentioned in 'ADDRIPV6'.
- Appendix D: can be removed, since the changes from RFC 4306 are
now in Section 1.7
Best regards,
Pasi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
