Dear Robert, Thank you very much for your review. > Issues: > The pseudo-header is IPv4-centric. The diagram in Section 4.1 shows 16-octet addresses, and so, if anything, it is IPv6-centric. I may be missing something, but I don't see any place where we're assuming IPv4. (The intent, of course, is that the pseudo-header is address-family independent -- the diagram shows 16-octet addresses, but we've been careful to avoid mentioning address families in the body text. If you have any advice about how to improve that, we're listening.) > The protocol allows for multiple HMAC algorithms, but has no mechanism for > signaling which one was used. This is the case, and it is the intent -- checking algorithm availability is done at key provisioning time. > The MUST NOT at the top of page 8 will need to be adjusted after that's > worked out. Discussion of what to do at a verifying peer that doesn't > implement a chosen algorithm is also needed. I don't understand. The first point of Section 4.3 looks clear to me -- a node doesn't compute an HMAC for every HMAC TLV it receives, it computes an HMAC for every key it has been provisioned with. Obviously, it knows the algorithm of every key it has been provisioned with (else it would have failed at configuration time), and hence there is no issue computing all required HMACs. Am I missing something? Do you have any suggestions about how to make that clearer? > Nits: > The claim in 1.1 about not requiring persistent storage is contradicted > by the definition of the protocol. At the very least, there is the need > to persist the most recent (index,PC) seen. A node is allowed to lose its state at any time, at the cost of one RTT worth of lost packets (it will need to issue a new challenge to every peer). In particular, it need not persist its state across reboots. You're right, though, that while this is reasonably clear in the Conceptual Overview section ("Consider a peer A that has no information about a pair B (e.g., because it has recently rebooted)"), we need to put an explicit "MAY discard its state at any time" in the normative part. > The third bullet at the top of page 4 (among different nodes) has its actors > confused. As stated, communication between A and C is irrelevant to the > communication between B and C. I have double-checked, and I believe the property is correct as stated. > It would be worth building an example of bootstrapping the protocol between > two peers that have no previous knowledge of each other. We've tried to do that in Section 2: In this situation, A discards the packet and challenges B to prove that it knows the HMAC key. It sends a "challenge request", a TLV containing a unique nonce, a value that has never been used before and will never be used again. B replies to the challenge request with a "challenge reply", a TLV containing a copy of the nonce chosen by A, in a packet protected by HMAC and containing the new value of B's PC. If you have any advice about how to improve this section, we're listening. > It's concerning to see a document (even a 00) whose point is to secure a > protocol have no discussion at all in the Security Considerations section. While we've done our best to describe the claimed security properties of the protocol in Section 1.2, we still need to write up the Security Considerations section. We'll do that as soon as we can spend some time together with my co-authors. Thanks again for your work, -- Juliusz