Hi Deb,
thank you for your review.
Thanks to Valery for writing this draft, apologies for the delay. I was hoping
to beat the I-D submission cutoff, but I didn't make it.
I did spend some time mapping out the differences in how the key development
works in all three versions: RFC 7296, RFC8784 and this draft. They are
related, but different in all three places. I think I see why it is done the
way it is, including a way to rekey the SA without tearing down the whole
connection. [I'm happy take comments from those whose crypt background is less
rusty than my own.]
Glad to hear this, thank you [and I’m happy to take any comments on
this too].
Specific comments: We might need to work on these a bit. Most are readability
comments.
Abstract, para 2: Remove the word 'Besides,'. Last sentence, change to, 'This
specification defines a way to use PPKs in active IVKv2 SAs for creating
additional IPsec SAs and rekey operations. (I'm not sure how much this helps,
it is pretty awkward.)
Done.
Introduction, para 1, sentence 2, 4, last phrase: add/change some text to make
it flow better, 'An extension...', 'post-quantum security is defined', 'IPsec
traffic that mostly needs protecting, (albeit it wouldn't provide protection of
the identity of the peers).
Done. I also split the 2nd sentence into two:
An extension to IKEv2 for mixing preshared keys for post-
quantum security is defined in [RFC8784]. This extension allows
today's IPsec traffic to be protected against future quantum
computers.
Introduction, para 3, QKD sentence: 'for example via the use of Quantum Key
Distribution (QKD).
Done.
Section 3.1.1, para 2, first sentence: I don't understand this sentence,
'computed differently compared to use PPKs'... maybe 'computed differently to
how PPKs are used in IKE_AUTH', but I'm not sure.
Yes, this was an intended meaning. I changed to the proposed text.
Thank you.
Section 3.2, para 1: 'peers MAY use this PPK' to 'peers MAY use this fresh
PPK'.
Done.
Section 3.2, Figure 2: What is 'Nir'? Maybe a typo for 'Nr'? Or something
else.
Your guess is correct, this is a typo, it must be Nr. Fixed.
Thank you for very careful reading!
Appendix A, last paragraph: 'PPK stuff', maybe 'PPK messages'?
I would use what William proposed in another message: “the PPK related
payloads”.
General: There are a handful of pointers back to the g-ikev2 draft. Just be
sure that the naming that was changed late in the process has made it into this
draft. For example, GSA_AUTH - I don't remember if that was new, old, or
unchanged.
No, the G-IKEv2 related names used in this draft, - GSA_AUTH and
GSA_REGISTRATION, did not change. They remain the same for 15 years since the
initial version of G-IKEv2 J.
Once the I-D submission is open again, I’ll publish a new version.
Regards,
Valery.
Deb
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org
