I've now done my AD review for the heuristics draft. Mostly the draft looks good, and all my comments are relatively minor. Least-minor first:
- Appendix A.1: The pseudocode has couple of places where it says "Drop invalid packet"; it seems these are wrong when the packet is UDP encapsulated (this could still be perfectly valid UDP traffic, just something else than ESP). - Section 8.1: AUTH_HMAC_MD5_128 and AUTH_HMAC_SHA1_160 are not defined for IPsec ESP; these algorithms apply only to the FiberChannel security protocols. So they should be removed from this list (and since this was the only algorithm with 160-bit ICV, handling that case can be removed). - Section 8.1: AUTH_AES_128/192/256_GMAC cannot be used in ESP, only in AH; for ESP, the relevant algorithm is ENCR_NULL_AUTH_AES_GMAC. - Appendix A.1: shouldn't we also have tests for WESP here? "If IP protocol is WESP, process as described in [traffic-visibility]" "If first 4 bytes of UDP packet are 0x00000002, process as.. " (the details of WESP don't belong there, though, and a pointer would be quite sufficient IMHO) - Appendix A.2, "Verify TCP": the bits that are currently reserved might get allocated in the future (and half of the bits that were reserved in RFC 793 have been since allocated -- so it's not very clear exactly what "TCP.reserved_bits" means). - The document doesn't cover RSA authentication in ESP (RFC 4359). I guess this isn't really very relevant for environments where the heuristics might be used, so perhaps a sentence saying this is beyond the scope of this document would be sufficient. - Section 2.1, suggesting that AH might have more bugs doesn't sound like an argument that belongs in this document. - Section 2.3: the discussion about IPv6 and NATs does not belong in this document. - Section 3, 2nd para: "state of the flows" -> "... IPsec flows" Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
