Re: [CGA-EXT] Comments on draft-dong-esp-sa-cga-00

[ZhangDong <zhangdong_rh at huaweisymantec.com>]

Hi Sean,

Thank you for your questions and comments.
Please see below.

>  #1.
>  The incentive of the draft is to provide a alternate way to negotiate 
> esp
>  sa, it will be helpful if more merits of this new approach can be discussed,
>  especially compared with IKEv2.
[Dong] Ok, I will consider it and add this part in the following version.
   
>  #2. 
>  I noticed that IKE and IKEv2 were used alternately in the draft, and 
> some
>  sentense like "CGA-SA MAY be used in all the scenarios where IKE is
>  available. The usage scenarios of IKE are stated in [RFC4306]." is
>  confusing. It will be good if you clarify which one you are talking 
> about or both.
[Dong] Yes, this problem will be revised.

>   
>  #3
>  The draft did not tell what contents will be protected by CGA signature.
>  Also I go to check section 3.3 (CGA Signature) of
>  draft-dong-savi-cga-header-01, I did not find the signature coverage 
> either.
>  Maybe I missed something? 
[Dong] Hmm, in the draft, there is no statement about this question. IMHO, signature coverage may be the hole packet. Is that ok?

>  #4
>  I notice that Cert is optional in message exchange since they are in
>  brackets. Does it mean that Certs are not REQUIRED in your trust 
> model? 
>  When [CERT] is carried, is it the chain of all certificates on trust 
> path or
>  just a single Cert? 
>  Also I did not see which option will carry Cert.  
[Dong] Yes, the CERT is not required in my approach. I just intend to put it here for future use. But how to use the CERT may need further consideration.

>  
>  #5
>  What if the message size exceed IPv6 MTU? For example, when carrying
>  certificate. 
[Dong] The CERT is a reservation temporarily. Then I feel that this problem could not be a big deal. Right?

Thanks.
Best Regards.

Dong Zhang
Huaweisymantec Technologies Co., Ltd