Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

UDP Encapsulation of IPsec ESP Packets
draft-ietf-ipsec-udp-encaps-09

Yes

(Russ Housley)

No Objection

(Alex Zinin)

(Allison Mankin)

(Bert Wijnen)

(Bill Fenner)

(David Kessens)

(Harald Alvestrand)

(Jon Peterson)

(Margaret Cullen)

(Ned Freed)

(Scott Hollenbeck)

(Steven Bellovin)

(Thomas Narten)

Abstain

(Ted Hardie)

Note: This ballot was opened for revision 09 and is now closed.

Russ Housley Former IESG member

Yes

Yes (2003-12-19) Unknown

Comments from Rob Austein:
> 
> 1) some of the weirdest stuff in this doc is due to the attempt to
>    support a mutant form of transport mode.   limiting the goals to
>    tunnel mode would simplify things considerably.
> 
> 2) leaving (1) aside for the moment, margaret is correct about the
>    problems with their checksum handwaving.  unless the encapsulator
>    verifies the checksum, there's nothing to protect packet integrity
>    from originator to encapsulator.  even if the encapsulator does
>    verify the checksum, it's still not end to end anymore, so data is
>    subject to undetectable corruption if the encasulator is broken.
>    basicly, this is the old "stuck bit on the router" problem.
> 
> 3) piggybacking all this on the ike port is pretty sick.
> 
> 4) overall, it sure seems like a minimal thing that just did tunnel
>    mode over udp to a well-known destination port and didn't try to do
>    anything more complicated (well, it might need a nat keepalive
>    probe) would be a lot less problematic.
> 
> maybe all of this is justifiable and it's just not in the doc, but
> color me skeptical.

Alex Zinin Former IESG member

No Objection

No Objection () Unknown

Allison Mankin Former IESG member

No Objection

No Objection () Unknown

Bert Wijnen Former IESG member

(was Discuss) No Objection

No Objection (2003-12-18) Unknown

Comments from OPS DIrectorate (Pekka):

  
- note that some sections like 1, 5, and 10 are indented "properly", 
  a couple of spaces off the left margin.  The rest aren't, and are less 
  readable.  It would be very nice to get this to be coherent.

- may want to use rfc2119 langauge:

  The SPI field in the ESP header must not be zero.

  s/must not/MUST NOT/ ?

- Questions on IANA considerations:

  6. IANA Considerations
                                                
     No IANA assignments are needed.
                                                                                                                                       
     This document depends on the reserved SPI value of zero (0) not
     being sent over the wire as a part of an ESP-packet [RFC 2406].
                                                 
     This document defines a "Non-ESP Marker" as 4 bytes of zero aligning
     with the SPI field of an ESP packet, and generally being followed
     by something that is not an ESP packet.
                                                       
     With regard to NAT-traversal in IKEv1 case, the Non-ESP Marker is
     being followed by an IKEv1 packet as specified in section 2.2.

  what do the last three paragraphs have to do with IANA 
  considerations section?  They're probably useful, but move them 
  somewhere else!

Bill Fenner Former IESG member

No Objection

No Objection (2003-12-18) Unknown

Call me "no further objection" - however, the NAT keepalive time reminds me that we saw (approved? I don't remember) a document that had similar NAT keepalive requirements and suggested some specifics; it may be worth figuring out what we had suggested there to try to be consistent.  Sorry this is vague, I'll try to figure out what I'm remembering.

David Kessens Former IESG member

No Objection

No Objection () Unknown

Harald Alvestrand Former IESG member

No Objection

No Objection (2004-04-01) Unknown

Reviewed by Scott Brim, Gen-ART.

Comments (editorial) to tracker log. Non-blocking.

Jon Peterson Former IESG member

(was Discuss) No Objection

No Objection () Unknown

Margaret Cullen Former IESG member

(was Discuss) No Objection

No Objection () Unknown

Ned Freed Former IESG member

No Objection

No Objection (2003-12-05) Unknown

Nits:

No copyright boilerplate
No IPR boilerplate

Scott Hollenbeck Former IESG member

No Objection

No Objection () Unknown

Steven Bellovin Former IESG member

No Objection

No Objection (2003-12-16) Unknown

Is the v4-only orientation enough of a problem here that we should send this back?

Thomas Narten Former IESG member

(was Discuss) No Objection

No Objection (2003-12-18) Unknown

> The UDP header is a standard [RFC 768] header, where
> - Source Port and Destination Port MUST be the same as used by
>    IKE traffic.
> - Checksum SHOULD be transmitted as a zero value.
> - Receivers MUST NOT depend upon the UDP checksum being
>    a zero value.

UDP checksum can't be 0 in IPv6.

> In addition an implementation MAY fix any contained protocols that
> have been broken by NAT.

Not clear this sentence is really appropriate  here. This is a true
statement for a NAT box for sure, but _this_ document is specifically
about  IKE traversal, not other protocols.

>     Implementors are warned that it is possible for remote peers to
>     negotiate entries that overlap in a GW, an issue affecting tunnel
>     mode.

GW used before defined.

>     It is RECOMMENDED that GW either assign locally unique IP addresses
>     to A and B using a protocol such as DHCP over IPsec, or uses NAT to
>     change A's and B's source IP addresses to such locally unique
>     addresses before sending packets forward to S.

what are A, B and S? (use consistent names)

> </x-flowed>

??

Ted Hardie Former IESG member

(was Discuss) Abstain

Abstain () Unknown

UDP Encapsulation of IPsec ESP Packets draft-ietf-ipsec-udp-encaps-09

UDP Encapsulation of IPsec ESP Packets
draft-ietf-ipsec-udp-encaps-09