[CGA-EXT] Comments on draft-dong-esp-sa-cga-00

[Sean Shen <sshen at huawei.com>]

Hi, Zhang Dong,

I read draft-dong-esp-sa-cga-00 and find it gives a interesting idea. I have a few questions and comments:

 

#1.

The incentive of the draft is to provide a alternate way to negotiate esp sa, it will be helpful if more merits of this new approach can be discussed, especially compared with IKEv2.

 

#2. 

I noticed that IKE and IKEv2 were used alternately in the draft, and some sentense like "CGA-SA MAY be used in all the scenarios where IKE is available. The usage scenarios of IKE are stated in [RFC4306]." is confusing. It will be good if you clarify which one you are talking about or both.

 

#3
The draft did not tell what contents will be protected by CGA signature. Also I go to check section 3.3 (CGA Signature) of draft-dong-savi-cga-header-01, I did not find the signature coverage either. Maybe I missed something? 

#4

I notice that Cert is optional in message exchange since they are in brackets. Does it mean that Certs are not REQUIRED in your trust model?

When [CERT] is carried, is it the chain of all certificates on trust path or just a single Cert?

Also I did not see which option will carry Cert.  

#5

What if the message size exceed IPv6 MTU? For example, when carrying certificate.  

 

 

Best,

 

Sean