Hi Sam, Thanks for your review. Your first comment is pointing out a typo (groupkey-pull should be groupkey-push), which I've fixed. The anti-replay description in Section 3.3 should not say that the push message sequence number will be reset to 1. Text earlier in this section says that the SEQ payload carries the next expected sequence number, and so when the KEK is installed that is the number that should be installed. I've adjusted the text to say this: "If this group has a KEK, the KEK policy and keys are marked as ready for use and the GM knows to expect a sequence number not less than the one distributed in the SEQ payload." Let me know if that change sufficiently clears up the confusion. Thanks, Brian On Aug 1, 2011, at 9:51 AM, Sam Hartman wrote: > > This update to the GDOI specification significantly improves clarity and > readability. > However, there is one issue that I think should be addressed prior to > publication: > > > At the top of page 11, the spec claims that a seq payload protects > against group members responding to groupkey-pull messages sent prior to > joining the group. > I'm reasonably sure that should be groupkey-push messages; I believe the > nonce payloads provide replay protection for the pull exchange. > > Actually, it's more complicated than that. Section 3.3 also seems to > believe the sequence number is about pull exchanges. However it says > that a GM should always expect the push message sequence number to be > reset to 1. > Why is that reasonable? If a group is ongoing, don't we want to tell new > members what the sequence number currently is rather than having them > assume it is 1? The push message is multicast, so we cannot maintain a > separate sequence number for each member. > > I think either there is some sort of error with the description of the > replay mechanisms or it requires significantly more explanation. > _______________________________________________ > secdir mailing list > secdir@xxxxxxxx > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@xxxxxxxxx _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf