Dear Robert,
Thank you very much for your review.
> Issues:
> The pseudo-header is IPv4-centric.
The diagram in Section 4.1 shows 16-octet addresses, and so, if anything,
it is IPv6-centric. I may be missing something, but I don't see any place
where we're assuming IPv4.
(The intent, of course, is that the pseudo-header is address-family
independent -- the diagram shows 16-octet addresses, but we've been
careful to avoid mentioning address families in the body text. If you
have any advice about how to improve that, we're listening.)
> The protocol allows for multiple HMAC algorithms, but has no mechanism for
> signaling which one was used.
This is the case, and it is the intent -- checking algorithm availability
is done at key provisioning time.
> The MUST NOT at the top of page 8 will need to be adjusted after that's
> worked out. Discussion of what to do at a verifying peer that doesn't
> implement a chosen algorithm is also needed.
I don't understand. The first point of Section 4.3 looks clear to me --
a node doesn't compute an HMAC for every HMAC TLV it receives, it computes
an HMAC for every key it has been provisioned with. Obviously, it knows
the algorithm of every key it has been provisioned with (else it would
have failed at configuration time), and hence there is no issue computing
all required HMACs.
Am I missing something? Do you have any suggestions about how to make
that clearer?
> Nits:
> The claim in 1.1 about not requiring persistent storage is contradicted
> by the definition of the protocol. At the very least, there is the need
> to persist the most recent (index,PC) seen.
A node is allowed to lose its state at any time, at the cost of one RTT
worth of lost packets (it will need to issue a new challenge to every
peer). In particular, it need not persist its state across reboots.
You're right, though, that while this is reasonably clear in the
Conceptual Overview section ("Consider a peer A that has no information
about a pair B (e.g., because it has recently rebooted)"), we need to put
an explicit "MAY discard its state at any time" in the normative part.
> The third bullet at the top of page 4 (among different nodes) has its actors
> confused. As stated, communication between A and C is irrelevant to the
> communication between B and C.
I have double-checked, and I believe the property is correct as stated.
> It would be worth building an example of bootstrapping the protocol between
> two peers that have no previous knowledge of each other.
We've tried to do that in Section 2:
In this situation, A discards the packet and challenges B to prove
that it knows the HMAC key. It sends a "challenge request", a TLV
containing a unique nonce, a value that has never been used before
and will never be used again. B replies to the challenge request
with a "challenge reply", a TLV containing a copy of the nonce chosen
by A, in a packet protected by HMAC and containing the new value of
B's PC.
If you have any advice about how to improve this section, we're listening.
> It's concerning to see a document (even a 00) whose point is to secure a
> protocol have no discussion at all in the Security Considerations section.
While we've done our best to describe the claimed security properties of
the protocol in Section 1.2, we still need to write up the Security
Considerations section. We'll do that as soon as we can spend some time
together with my co-authors.
Thanks again for your work,
-- Juliusz
