An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
draft-nir-ipsecme-erx-11
Yes
(Barry Leiba)
(Sean Turner)
No Objection
(Adrian Farrel)
(Benoît Claise)
(Gonzalo Camarillo)
(Martin Stiemerling)
(Robert Sparks)
(Ron Bonica)
(Russ Housley)
(Stephen Farrell)
(Stewart Bryant)
(Wesley Eddy)
Note: This ballot was opened for revision 09 and is now closed.
Barry Leiba Former IESG member
Yes
Yes
(for -09)
Unknown
Sean Turner Former IESG member
Yes
Yes
(for -09)
Unknown
Adrian Farrel Former IESG member
No Objection
No Objection
(for -09)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(for -09)
Unknown
Brian Haberman Former IESG member
No Objection
No Objection
(2012-12-13 for -09)
Unknown
I support Ralph's DISCUSS point.
Gonzalo Camarillo Former IESG member
No Objection
No Objection
(for -09)
Unknown
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -09)
Unknown
Pete Resnick Former IESG member
No Objection
No Objection
(2012-12-09 for -09)
Unknown
Not my area of expertise, so I'm going to simply not object on the document itself. However, please take a look at the below and fix.
There are 6 occurrences of MUST per 2119. 5 of them seem obviously wrong:
Section 3:
The IDi payload MUST have ID Type ID_RFC822_ADDR and the data field
MUST contain the same value as the KeyName-NAI TLV in the
EAP_Initiate/Re-auth message.
Section 4:
o Protocol ID (1 octet) MUST be zero, as this message is related to
an IKE SA.
o SPI Size (1 octet) MUST be zero, in conformance with section 3.10
of RFC 5996.
o ERX Notify Message Type (2 octets) - MUST be xxxxx, the value
assigned for ERX. TBA by IANA.
Ask yourself in each case: What would happen if an implementation chose not to do what you say is something that they MUST do? If the answer is, "They wouldn't be implementing the protocol", then the MUST is not being used correctly; you should instead use "will". If the answer is, "They would be implementing the protocol if they did something different, but they fail to interoperate", then the MUST would be correct. In each of the 5 cases above, I cannot figure out how the MUST is justified.
The only other MUST is in section 3.1:
Section 3.16 of RFC 5996 enumerates the EAP codes in EAP messages
which are carried in EAP payloads. The enumeration goes only to 4.
It is not clear whether that list is supposed to be exhaustive or
not.
To clarify, an implementation conforming to this specification MUST
accept and transmit EAP messages with at least the codes for Initiate
and Finish (5 and 6) from RFC 6696, in addition to the four codes
enumerated in RFC 5996.
Here, the MUST would be appropriate if you are changing 5996, but if so, you have worded this poorly: Change "an implementation conforming to this specification" to "an implementation of IKEv2". You are saying that *any* IKEv2 EAP implementation MUST handle all 6. If you are not saying that, then the MUST is wrong and should be changed to "will".
Ralph Droms Former IESG member
(was Discuss)
No Objection
No Objection
(2012-12-20)
Unknown
I see that the document no longer updates RFC 5996, so I've cleared...
Robert Sparks Former IESG member
No Objection
No Objection
(for -09)
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
(for -09)
Unknown
Russ Housley Former IESG member
No Objection
No Objection
(for -09)
Unknown
Stephen Farrell Former IESG member
No Objection
No Objection
(for -09)
Unknown
Stewart Bryant Former IESG member
No Objection
No Objection
(for -09)
Unknown
Wesley Eddy Former IESG member
No Objection
No Objection
(for -09)
Unknown