Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
RFC 7146

Note: This ballot was opened for revision 03 and is now closed.

(Martin Stiemerling) Yes

(Jari Arkko) No Objection

(Richard Barnes) No Objection

(Stewart Bryant) No Objection

(Spencer Dawkins) No Objection

Comment (2013-08-26 for -03)
No email
send info
I think the resolutions David and Tom Yu arrived at while chatting about Tom's SECDIR review are helpful and support them being in the RFC.

(Adrian Farrel) No Objection

(Brian Haberman) No Objection

(Joel Jaeggli) No Objection

Comment (2013-08-27 for -03)
No email
send info
given the breadth of the changes, I'm not sure why this document doesn't simply obsolete 3723 supplanting it with 3723 text+updates rather than simply enumerating the changes.

Barry Leiba No Objection

Comment (2013-08-26 for -03)
No email
send info
This has to be a record for the length of an "updates" list.  Nice!

(Pete Resnick) No Objection

Comment (2013-08-28 for -03)
No email
send info
I want to reiterate and amplify Joel's comment: I think it would be better in the end to re-publish 3723 with these changes and obsolete it rather than doing this as an update. I hate for our tools to drive these sorts of decisions, but if you obsolete 3723 with a new document, the next time someone tries to refer to 3723, the nits tool will say, "Hey, that's obsoleted; do you want to refer to the newer one?" That won't happen if it's just an update. You still want to update all of the docs that normatively refers to the IPSec stuff in 3723, but obsoleting 3723 would be better. Please consider it.

(Sean Turner) (was Discuss) No Objection

Comment (2013-08-27)
No email
send info
Like Spencer, I'd like to see the changes agreed by Tom and David to be incorporated, but I trust that the responsible AD will ensure that gets done so no need for me to hold a discuss on it.

s2.2: I think you need to add normative references to [RFC3602] for AES-128-CBC:

OLD:

 AES in CBC mode MUST be implemented.  AES CBC implementations
 MUST support 128-bit keys and MAY support other key sizes.

NEW:

 AES in CBC mode MUST be implemented [RFC3602].  AES CBC
 implementations MUST support 128-bit keys and MAY support
 other key sizes.

s2.2: r/implement" requirement) ./implement" requirement).
s2.2: r/AES in Counter mode MAY/AES in Counter mode (AES CTR) MAY

s3: Maybe with more teeth:

OLD:

 Use of 1024 bit D-H groups with 3DES CBC and HMAC-
 SHA1 is no longer recommended,

NEW:

 Use of 1024 bit D-H groups with 3DES CBC and HMAC-
 SHA1 is NOT RECOMMENDED,
 
s3: r/use of IPsec v3 is recommended./use of IPsec v3 is RECOMMENDED.  ?

s3.1: Is it worth mentioning the OCSP extension mechanism to check the validity of the certificates?