Re: [bmwg] draft-ietf-bmwg-ipsec-term-03.txt

[Tim Van Herck <herckt at cisco.com>]

	Brooks,

> I have been reading over the IPSec Terminology document and have a few
> comments/suggestions. I am by no means an expert on IPSec, so if I am
> mistaken on any on the items below, please let me know.
Thanks for taking the time to read through it !

> 7.7.1 IKE Tunnel
> Definition:
> One simplex Phase 1 IKE SA
> The definition states "One simplex Phase 1 IKE SA". I thought that Phase 1
> tunnels are always bi-directional. The term "simplex" in the definition
> implies one direction. Would suggest removing the word simplex from the
> definition.
You have a point ! What we meant to say is that the IKE SA is set up 
from one node to another in a simplex fashion but that it allows 
bidirectional communication.

We'll change it to 'One Phase 1 IKE SA which allows bidirectional 
control plane communications between two IPSEC devices.'

> 7.7.3 Tunnel
> Issues: 
> If only a single Phase 2 SA or more then two Phase 2 SA's have been
> negotiated through a single IKE Tunnel, then this specific ratio must be
> mentioned and the term 'Tunnel' MUST NOT be used in this context. 
> If I am not mistaken, I believe the verbiage is to cover the case where
> anything other than one IPSec Tunnel is configured for each direction. If
That is correct.

> so, what if I have two Phase 2 SA's configured in the same direction. I
> could use the term "Tunnel" in this case. Also, should the first occurrence
> of "must" in the sentence be upper case or lower case? Suggest something
> along the lines of:
> If other than a single Phase 2 SA, for each direction, have been negotiated
> through a single IKE Tunnel, then this specific ratio MUST be mentioned and
> the term 'Tunnel' MUST NOT be used in this context."
Yes, we have to be slightly more specific that this is about SA's 
negotiated for EACH direction. And your verbiage is much more to the 
point. We'll replace it.

> 7.7.3 Active Tunnel
> Definition:
> A tunnel that has completed Phase 1 and Phase 2 SA negotiations and is
> transmitting data. 
> Suggest:
> "A tunnel that has completed Phase 1 and Phase 2 SA negotiations and is
> forwarding data."
Agreed, we'll incorporate that suggestion !

> 10.3.2 IPSec Tunnel Encryption Frame Loss Rate
> 10.3.3 IPSec Tunnel Decryption Frame Loss Rate
> Both the definition and unit of measurement in sections 10.3.2 and 10.3.3
> are terms of a percentage, not a rate. The unit of measurement is not "n
> packets/second". While I realize that this is basically carrying over the
> term defined in RFC1242(Section 3.6), I think that the rate should be
> dropped from the term in both cases.
Again, I agree, We'll drop the 'rate' and set the measurement units in % 
dropped of offered frames.

> In addition, were there any plans to add tunnel(Phase I and Phase 2)
> establishment time to the terminology document.
If you're asking tunnel setup rates (which is the inverse of a tunnel 
setup/establishment time) then it is already available in the 
terminology document. If the question is, if we intend to complete the 
blanks in those definitions, then the answer is yes !

	Thanks,
	Tim-


_______________________________________________
bmwg mailing list
bmwg@ietf.org
https://www1.ietf.org/mailman/listinfo/bmwg