Issue on Phase 2 handler

_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Re: Issue on Phase 2 handler

On Wed, 2004-12-01 at 04:15, Park Lee wrote:
>   But here, Why should the responder also send an SADB_GETSPI (step 3 > and step 4)? Is it still send the
message to its kernel? Why don't it > use the SPI from the initiator? If the responder get its own SPI, then >
there will be two different SPI between the initiator and responder, > which one will they finally use?

AH/ESP SA's are unidirectional, but IKE establishes them in pairs. 

AH/ESP SPI's are chosen by the receiver.  

With PF_KEY, you thus need to do a getspi on each end to pick the SPI used for traffic to that node.

the getspi invoked by the initiator is used for responder->initiator traffic.

the getspi invoked by the responder is used for initiator->responder traffic.

Tunnel persistance with a MobileNode

_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

3 modes of defining tunnels in SPD.

Hi Dear Experts. 
I have asked this question before but got no answer. So I ask it again because
we can not decide which is correct. 

the question is as follows. 

I am working on a high speed secure router and there is
something that I cant Understand what to do with it.

and that is these mysterious sentences. (I call these
as Case A and Case B )

"  a. use the value in the packet itself -- This will limit use
      of the SA to those packets which have this packet's value
      for the selector even if the selector for the policy entry
      has a range of allowed values or a wild card for this
      selector.
   b. use the value associated with the policy entry -- If this
      were to be just a single value, then there would be no
      difference between (b) and (a).,......"

Imagine a router that is IPSec aware (SG1).

HOST                                                     HOST
C to K=========|1| SG1 |2|=======================SG2 --- M to X
 |               / \                            /          
 |              /   \                          /            
 \-------------/     \------------------------/          

SG1 has two interfaces 1 and 2 .

outbound policy for interface 2 of SG1 says :

--------------------------------------------------------
For any packet from host (C to k) going to host (M to X)
make a tunnel with SG2. USE CASE B
--------------------------------------------------------

This means to use one SA for all traffic traversing from (C - K) TO ( M - X ).
Right?

What about this policy?

--------------------------------------------------------
For any packet from host (C to k) going to host (M to X)
make a tunnel with SG2. USE CASE A
--------------------------------------------------------

What that means? Does it mean to make separate SA's for any source-destination
pair ?
For example one for a packet traversing from C to M and one another for a
packet giong from D to N and one another for a packet going from C to N  ???

If so what is benefit of this ???
__________________________________________________________
__________________________________________________________
Question 2:

Before, I thought that Case A Is not usable in this situation and
this situation should be used with case b. Was Right ?

__________________________________________________________
__________________________________________________________
Question 3:

Can we have such a policy like below for inbound traffic for interface 1 of SG1?

For inbound traffic for interface 1 of SG1 : (this is just one policy record)

--------------------------------------------------------
For any packet from host (C to k) going to host (M to X)
make a tunnel with ITSELF (SOURCE OF Packet).
--------------------------------------------------------

In above policy because we wanted to have one policy for many tunnels
(in this case 9 tunnels each for each host C - K ) and ITSELF means having a
tunnel with source of packet host.

Firstly, having such a policy is logical???
Secondly, does it mean Case A???

____________________________________________________________

Best of regards
Mahdavi. 
--

Initial Contact messages

This is an extended summary of a discussion at the ICSA IPsec Consortia
meetings of December 2, 2004. 

The discussion started concerning the IPSec 2.0 criteria. In it, it was
said that ICSA was going to test that a responder properly dealt with
Initial Contact messages by deleting old SAs with that "identity".

IKEv2-17 says:

        INITIAL_CONTACT                          16384

            This notification asserts that this IKE_SA is the only
            IKE_SA currently active between the authenticated
            identities. It MAY be sent when an IKE_SA is established
            after a crash, and the recipient MAY use this information to
            delete any other IKE_SAs it has to the same *AUTHENTICATED
            IDENTITY* without waiting for a timeout.  This notification
            MUST NOT be sent by an entity that may be replicated (e.g.,
            a roaming user's credentials where the user is allowed to
            connect to the corporate firewall from two remote systems at
            the same time).

(some upcase is mine)

The last sentence in this is pretty much where the conversation lay.

It is difficult for an entity to know if the credentials may be replicated. 
So, to some extent, we assume that it will be difficult in practice to
configure the client correctly here.

A number of people suggested that in fact they would always be ignoring
the IC messages. (Thus the conflict with the ICSA Criteria requirements)

A lot of the discussion dealt with what an *AUTHENTICATED IDENTITY* is.
Particularly in the context of XAUTH users with group-psk.

To understand the reasons, we discussed a number of scenarios. We had
a number of scenarios that we identified. In all cases, we were interested only
in how the responding system should behave.

Below, Ix is the PARENT SA Identity. ID_i.
Note that we consider the 4-tuple of SA/DA, SP/DP because we assume that
there may be NATs in between.

1) a multiuser system H1, creates two parent SAs because it needs to
   authenticate as two different identities.

	+-------+                             +-------+
	|H1   I1|<--------------------------->| I3  H2|
	|     I2|                             |       | 
	+-------+                             +-------+

  We believe that H1 *MAY* send IC on each connection. 
  For this reason it may be that H2 must look at identity *ONLY* when
deciding which old SAs to flush. 4-tuple is not unique.

2) a single user system H1, connecting to a gateway H2, shutting
   down/suspending, and returning on another IP:

   
       .--------.
       | I1  H1 |<------------\		      .-------.
       |        |	       \	      |	      |
       '--------'		------------->|	      |
---- time ----  			      | H2    |
       .--------.             /-------------->|       |
       | I1  H1 |<-----------/  	      |       |
       |        |       		      '-------'
       '--------'				  
                				  
In this case, the 4-tuple is unique, but in addition, the ID being the
same is works to find the appropriate SAs.

3) two single user systems, using XAUTH, having "Group PSK" I1.
   Different user names.

       .--------.
       | I1  H1 |<------------\		      .-------.
       | user1  |	       \	      |	      |
       '--------'		------------->|	      |
                			      | H2    |
       .--------.             /-------------->|       |
       | I1  H2 |<-----------/  	      |       |
       | user2  |       		      '-------'
       '--------'				  

In this case, if H2 combines the 4-tuple with the Ix, then H2 can find
SAs before XAUTH is done. Alternatively, H2 can wait until the XAUTH has
been done before it processes the initial contact. 

4) two single user systems, using XAUTH, having "Group PSK" I1.
   The same user names. This is, for instance, the situation where
   a single person wants their laptop and their PDA to be online.

       .--------.
       | I1  H1 |<------------\		      .-------.
       | user1  |	       \	      |	      |
       '--------'		------------->|	      |
                			      | H2    |
       .--------.             /-------------->|       |
       | I1  H2 |<-----------/  	      |       |
       | user1  |       		      '-------'
       '--------'				  

H2 can determine uniqueness here by combining 4-tuple, ID and username.
Arguably, in this situation IC should not be sent if the IDs are known
to be combined.

{In addition, situation (1) could be combined with any of the other situations}

===== conclusions =====

There are as many as 6 items that may be used to index into the SA table
to do IC processing. There was concern that it may not be possible to
build an index that provides better than linear search given the
differences. 

There was extension discussion that liveness checks (dead peer
detection) will in most cases clean up all stale SAs. There was
discussion about whether it would in fact clean up in all situations.

{Most of these issues are not unique to IKEv2. However, XAUTH usage has
 not generally been useable across vendors in IKEv1. ICSA IPSec 2.0 does
 not test XAUTH in IKEv2 (or IKEv1). }

The suggestion was a heuristic that said that IC processing should be
done by looking up 4-tuple only. If only 2 Parent SAs were found (i.e. the
current one, and 1 old one), then the old one should be purged (with all
of its children).

This permits efficient cleanup for site-to-site VPN configurations where
the end points do not move. It was noted that this is not the situation
where one worries about resource exhaustion --- site-to-site VPNs tend
not to have to scale to the same degree that RoadWarrior ones do.

--

-- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr <at> xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Re: Initial Contact messages

At 10:42 PM -0700 12/4/04, Michael Richardson wrote:
>There was extension discussion that liveness checks (dead peer
>detection) will in most cases clean up all stale SAs. There was
>discussion about whether it would in fact clean up in all situations.

Whether or not it does is irrelevant to the user unless there is a 
resource-exhaustion issue. If there is such an issue, the 
implementation probably will have other serious problems that cannot 
be found consistently.

>{Most of these issues are not unique to IKEv2. However, XAUTH usage has
>  not generally been useable across vendors in IKEv1.

The issues are relevant regardless of using XAUTH: the are the same 
for the EAP methods in IKEv2.

>The suggestion was a heuristic that said that IC processing should be
>done by looking up 4-tuple only. If only 2 Parent SAs were found (i.e. the
>current one, and 1 old one), then the old one should be purged (with all
>of its children).

That is certainly the reasonable interpretation of the spec, and 
fairly easy to implement.

>This permits efficient cleanup for site-to-site VPN configurations where
>the end points do not move.

Yes, and it also permits efficient cleanup for remote-access users 
who only come in over one transport at a time.

>  It was noted that this is not the situation
>where one worries about resource exhaustion --- site-to-site VPNs tend
>not to have to scale to the same degree that RoadWarrior ones do.

Some remote-access VPN systems have an setting that allows the 
administrator to say "anyone in this group of users can only be 
logged in once at a time". If a user with the exact same credentials 
(including whatever came in after XAUTH) completes SA setup, the 
first SA is torn down. This should work fine even for pre-shared 
non-secrets as long as XAUTH or some other credentialling mechanism 
produces unique results for each user.

--Paul Hoffman, Director
--VPN Consortium

CHILD SA keys

Hi,

I would like to know more details on order of extraction of CHILD SA keys 
from the key material(KEYMAT) in case ESPwith AUTH and AH .

Is my understanding is right? :

Initiator side:
  	
	KEYMAT = { outbound ESP encryption key | outbound ESP auth key | outbound 
AH key |
                               inbound ESP encryption key | inbound ESP 
auth key | inbound AH key}

Responder side:

	KEYMAT = { inbound ESP encryption key | inbound ESP auth key | inbound AH key
		outbound ESP encryption key | outbound ESP auth key | outbound AH key |
                               }

Thanks in advance,
Jyothi

IPSec use with Diameter

Here is one paragraph from RFC 3588 (Diameter Base Protocol):

"Note that IPsec is considerably less flexible than TLS when it comes to
configuring root CAs. Since use of Port identifiers is prohibited within IKE
Phase 1, within IPsec it is not possible to uniquely configure trusted root
CAs for each application individually; the same policy must be used for all
applications. This implies, for example, that a root CA trusted for use with
Diameter must also be trusted to protect SNMP. These restrictions can be
awkward at best.
Since TLS supports application-level granularity in certificate policy, TLS
SHOULD be used to protect Diameter connections between administrative
domains. IPSec is most appropriate for intra-domain usage when pre-shared
keys are used as a security mechanism."

Can someone explain more about this?

Regards
Mohanlal

IPsec -- AH draft

Folks,

Based on the November exchange on the IPsec list re: AH and ICV and 
padding (see emails on subject "Query for IPv6 ICV" starting 
11/4/04), we have submitted a new AH draft.  This has been modified 
as shown below to clarify that in addition to the existing 
requirement to pad the ICV such that the whole AH length is an 
integral multiple of 4 (IPv4) or 8 (IPv6), unnecessary padding is 
prohibited.  We did not modify any paragraphs involving *implicit* 
padding on the assumption that the relevant algorithm document should 
specify the padding requirements appropriately.

	2.6  Integrity Check Value (ICV)

	This is a variable-length field that contains the Integrity
	Check Value (ICV) for this packet.  The field must be an
	integral multiple of 32 bits (IPv4 or IPv6) in length. The
	details of ICV processing are described in Section 3.3.3
	"Integrity Check Value Calculation" and Section 3.4.4
	"Integrity Check Value Verification." This field may include
	explicit padding, if required to ensure that the length of
	the AH header is an integral multiple of 32 bits (IPv4) or
	64 bits (IPv6). All implementations MUST support such
	padding     . Details of how to compute the required padding
	        ^^^^
                 insert text --> and MUST insert only enough padding
	        to satisfy IPv4/v6 alignment requirements.

	length are provided below in Section 3.3.3.2 "Padding".
	The integrity algorithm specification MUST specify the length
	of the ICV and the comparison rules and processing steps for
	validation.

	3.3.3.2.1  ICV Padding

	As mentioned in section 2.6, the ICV field may include
	explicit padding if required to ensure that the AH header
	is a multiple of 32 bits (IPv4) or 64 bits (IPv6). If
	padding is required, its length is determined by two factors:
		- the length of the ICV
		- the IP protocol version (v4 or v6)

	For example, if the output of the selected algorithm is
	96-bits, no padding is required for either IPv4 or for IPv6.
	However, if a different length ICV is generated, due to use
	of a different algorithm, then padding may be required
	depending on the length and IP protocol version.  The
	content of the padding field is arbitrarily selected by the
	sender.  (The padding is arbitrary, but need not be random
	to achieve security.)  These padding bytes are included in
	the ICV calculation, counted as part of the Payload Length,
	and transmitted at the end of the ICV field to enable the
	receiver to perform the ICV calculation.
                                                  ^^^^
	                                      add text: Inclusion of
	padding in excess of the minimnal amount required to satisfy
	IPv4/v6 alignment requirements is prohibited.

Thank you,
Karen

IPsec 2401bis -- new draft

Apologies if this is a duplicate -- the first try is currently stuck 
in the IPsec mailer queue because it was "too big".  I'm not sure why 
-- I may have inadvertently included color/underlining.

Folks,

We just submitted a new draft of 2401bis to the IETF publication 
folks... In addition to fixes to typos/etc, this revision includes 
the changes listed below.   Although Steve and I discussed most of 
these changes, he has again maintained plausible deniability by being 
on vacation when I completed the final edits .

Please note:

1. On November 12th, Steve Kent requested a poll of the working group 
to confirm which option we should put into 2401bis for handling of 
BYPASS'd fragments.
However, there wasn't any subsequent poll/consensus as to whether to 
make the change below that Mark Duffy proposed for Section 7.4 
BYPASS/DISCARD traffic, sentence 2, so I didn't change the text.

    From:
	An implementation MUST support stateful fragment checking to
	accommodate BYPASS traffic for which a non-trivial port
	range is specified.

    To:
	An implementation MUST NOT forward fragmented BYPASS traffic
	without performing stateful fragment checking.

2. All changes below after the 2 rows of ==== were made based on 
feedback from Russ Housley during the current working group last 
call.  Hence they didn't show up on the list

Thank you,
Karen

===========================================================================

Section 5.1 "Outbound IP Traffic Processing (protected-to-unprotected)" --
restored the following NOTE after step 4.  I also inserted some new 
text saying that "(This applies only to IPv4.  For IPv6 packets, only 
the originator is allowed to fragment them.)"

	Note: With the exception of IPv4 and IPv6 transport mode,
	an SG, BITS, or BITW  implementation MAY fragment packets
	before applying IPsec.  (This applies only to IPv4.  For IPv6
	packets, only the originator is allowed to fragment them.)
	The device SHOULD have a configuration setting to disable
	this.  The resulting fragments are evaluated against the SPD
	in the normal manner.  Thus, fragments not containing port
	numbers (or ICMP message type and code, or Mobility Header
	type) will only match rules having port (or ICMP message type
	and code, or MH type) selectors of OPAQUE or ANY. (See section
	7 for more details.)

===========================================================================

Appendix B.1 -- clarified text by changing the 2nd sentence:

     From:
	In appendix B.1: "The resulting entries that are decorrelated
         with the decorrelated set of entries are then added to that
         decorrelated set."

     To:
	The nodes of the tree are the selectors that may overlap
	between the policies.  At each node, the algorithm creates a
	branch for each of the values of the selector.  It also
	creates one branch for the complement of the union of all
	selector values.  Policies are then formed by traversing the
	tree from the root to each leaf.  The policies at the leaves
	are compared to the set of already decorrelated policy rules.
	Each policy at a leaf is either completely overridden by a
	policy in the already decorrelated set and is discarded or
	is decorrelated with all the policies in the decorrelated set
	and is added to it.

===========================================================================

Section 4.4.1 "The Security Policy Database (SPD)", subsection on 
"How To Derive the Values for an SAD entry" -- Changed:

     From:

	For each selector in an SPD entry, the entry specifies how to
	derive the corresponding values for a new Security Association
	Database (SAD, see Section 4.4.2) entry from those in the SPD
	and the packet. The goal is to allow an SAD entry and an SPD
	cache entry to be created based on specific selector values
	from the packet, or from the matching SPD entry. For outbound
	traffic, there are SPD-S cache entries and SPD-O cache entries.
	For inbound traffic, there are SPD-I cache entries and there
	is the SAD, which represents the cache for inbound
	IPsec-protected traffic (See Figure 3 in Section 5.2).

     To:
	For each selector in an SPD entry, the entry specifies how to
	derive the corresponding values for a new Security Association
	Database (SAD, see Section 4.4.2) entry from those in the SPD
	and the packet. The goal is to allow an SAD entry and an SPD
	cache entry to be created based on specific selector values
	from the packet, or from the matching SPD entry. For outbound
	traffic, there are SPD-S cache entries and SPD-O cache entries.
	For inbound traffic not protected by IPsec, there are SPD-I
                             ^^^^^^^^^^^^^^^^^^^^^^
	cache entries and there is the SAD, which represents the cache
	for inbound IPsec-protected traffic (See Figure 3 in Section
	5.2).

===========================================================================

Section 7.4 BYPASS/DISCARD traffic and Section D.4 BYPASS/DROP 
Traffic (last paragraph) -- corrected TCP port 25 (Telnet) to be TCP 
port 23 (Telnet).

===========================================================================

Section 5. "IP Traffic Processing" -- Clarified that the mapping of 
one cached SPD entry to one SA is not a consequence of decorrelation.

     Added the following sentences at the end of the paragraph 1:

	"For the purposes of this specification, it is
	assumed that each cached entry will map to exactly
	one SA.  Note, however, exceptions arise when one
	uses multiple SAs to carry traffic of different
	priorities (e.g., as indicated by distinct DSCP
	values) but the same selectors."

     Changed paragraph 2, sentence 3 from:

	But, if the SPD entries are first decorrelated, then the
	resulting entries can safely be cached and each cached entry
	will map to exactly one SA, or indicate that matching traffic
	should be bypassed or discarded, appropriately.

     To:
	But, if the SPD entries are first decorrelated, then the
	resulting entries can safely be cached. Each cached entry
	will indicate that matching traffic should be bypassed or
	discarded, appropriately.

===========================================================================

We made the following changes to clarify how the looping of traffic 
protected by nested SAs is handled if there are multiple SPD-I's

Section 5.1 "Outbound IP Traffic Processing 
(protected-to-unprotected)", step 4 -- Added the following sentences 
at the end of step 4 (The packet is passed to....):

	If necessary, i.e., if there is more than one SPD-I,
	the traffic being looped back MAY be tagged as
	coming from this internal interface.  This would
	allow the use of a different SPD-I for "real"
	external traffic vs looped traffic, if needed.

Appendix E - "Example of Supporting Nested SAs via SPD and Forwarding 
Table Entries", paragraph 1 -- Added the following sentence at the 
end of this paragraph:

	For simplicity, this example assumes just one SPD-I.

===========================================================================

Section 8.2.1 "Propagation of PMTU" -- Modified last sentence to 
clarify when to send a PMTU ICMP message:

     From:
	When such traffic arrives, if the traffic would exceed the
	updated PMTU value the traffic MUST be discarded and an
	appropriate ICMP PMTU message sent.

     To:
	When such traffic arrives, if the traffic would exceed the
	updated PMTU value the traffic MUST be handled as follows:

	Case 1: Original (cleartext) packet is IPv4 and has the DF
                  bit set.  The implementation SHOULD discard the packet
                  and send a PMTU ICMP message.

	Case 2: Original (cleartext) packet is IPv4 and has the DF
                 bit clear. The implementation SHOULD fragment (before
	        orafter encryption per its configuration) and then
	        forward the fragments.  It SHOULD NOT send a PMTU
		ICMP message.

	Case 3: Original (cleartext) packet is IPv6. The implementation
                 SHOULD discard the packet and send a PMTU ICMP message.

===========================================================================

Section D.3. The Problem of Non-Initial Fragments, -- Since Section 
7.2 allows separate SAs to be used for non-initial fragments, we 
modified the text that said the WG had "rejected" this option:

   2nd paragraph, last sentence
      From:
	However, RFC 2401 did not provide detailed guidance on this
	and thus it may not have been apparent that use of this
	feature would essentially create a "non-initial fragment
	only" SA, precisely the solution that the WG rejected.

     To:
	However, RFC 2401 did not provide detailed guidance on this
	and thus it may not have been apparent that use of this
	feature would essentially create a "non-initial fragment
	only" SA.

  3rd paragraph, 1st sentence
     From:
	In the course of rejecting the "fragment-only" SA approach,
	it was noted that some subtle problems, problems not
	considered in RFC 2401, would have to be avoided.

     To:
	In the course of discussing the "fragment-only" SA approach,
	it was noted that some subtle problems, problems not
	considered in RFC 2401, would have to be avoided.

  Section D.6 "Other Suggested Solutions", paragraph 4:
     From:
	The Working Group rejected the convention of creating an SA
	to carry only non-initial fragments, something that was
	supported implicitly under the RFC 2401 model via use of
	OPAQUE port fields, but never clearly articulated in the RFC
	2401. The (rejected) text called for each non-initial
	fragment to be treated as protocol 44 (the IPv6 fragment
	header protocol ID) by the sender and receiver.

     To:
	The Working Group rejected an earlier version of the
	convention of creating an SA to carry only non-initial
	fragments, something that was supported implicitly under the
	RFC 2401 model via use of OPAQUE port fields, but never
	clearly articulated in the RFC 2401. The (rejected) text
	called for each non-initial fragment to be treated as
	protocol 44 (the IPv6 fragment header protocol ID) by the
	sender and receiver.

===========================================================================

Section 13 "Differences from RFC 2401" -- Added the following bullet

	o With respect to IP addresses and ports, the terms "Local"
           and "Remote" are used for policy rules (replacing source
	  and destination).  "Local" refers to the entity being
	  protected by an IPsec implementation, i.e., the "source"
	  address/port of outbound packets or the "destination"
	  address/port of inbound packets. "Remote" refers to a peer
	  entity or peer entities. The terms "source" and
	  "destination" are still used for packet header fields.

===========================================================================

Section 5.1 "Outbound IP Traffic Processing (protected to 
unprotected)" -- Added back the following note after Step 4

NOTE: With the exception of IPv4 and IPv6 transport mode, an SG, BITS, or BITW
implementation MAY fragment packets before applying IPsec.  The 
device SHOULD have a configuration setting to disable this.  The 
resulting fragments are evaluated against the SPD in the normal 
manner.  Thus, fragments not containing port numbers (or ICMP message 
type and code, or Mobility Header type) will only match rules having 
port (or ICMP message type and code, or MH type) selectors of OPAQUE 
or ANY. (See section 7 for more details.)

===========================================================================
===========================================================================
All the following changes were suggested by Russ Housley...
===========================================================================
===========================================================================

In addition to fixing typos that he caught, we made various edits 
including but not limited to:

1. Spelled out acronyms -- NAT, ECN, DSCP, TCAM....
2. Used SA instead of Security Association after initial definition
3. Put in requests to RFC Editor to replace ?? with RFC numbers for
    the various IDs that are about to become RFCs and which are in
    the Reference section.
4. Changed all "Note" or "NOTE" to be consistently just one
    style --> "Note:"
5. Tried to change SPD-I, SPD-O, SPD-S and SPD-ID to use non-breaking
    hyphens, but I ran into a Microsoft Word glitch with this. So
    I may have missed some.
6. Replaced "system"/"systems" with "implementation"/"implementations
    in a number of places
7. Replaced "drop"/"DROP" with "discard"/"DISCARD" for consistency.
8. Replaced "2401bis" with phrases like "this document".

===========================================================================

Section 2.1, "Goals/Objectives/Requirements/Problem Description", 
paragraph 5 -- Changed:

     From:
	A set of default cryptographic algorithms for use with AH and
	ESP is specified in [Eas03] to facilitate interoperability in
	the global Internet. The use of these cryptographic algorithms....

     To:
	To facilitate interoperability in the global Internet, a set
	of default cryptographic algorithms for use with AH and ESP
	is specified in [Eas03] and a set of mandatory-to-implement
	algorithms for IKEv2 is specified in [Sch03].  [Eas03] and
	[Sch03] will be periodically updated to keep pace with
	computational and cryptologic advances.  By specifying these
	algorithms in documents that are separate from the AH, ESP,
	and IKEv2 specifications, these algorithms can be updated or
	replaced without affecting the standardization progress of
	the rest of the IPsec document suite. The use of these
	cryptographic algorithms...

===========================================================================

Section 3.2 "How IPsec Works", paragraph 1, bullet 2 -- changed

     From:
	o The Encapsulating Security Payload (ESP) protocol [Ken04a]
	  offers the same set of services, and also offers
	  confidentiality. Use of ESP in a confidentiality-only mode
	  is discouraged.
     To:
	o The Encapsulating Security Payload (ESP) protocol [Ken04a]
	  offers the same set of services, and also offers
	  confidentiality. Use of ESP to provide confidentiality
	  without integrity is NOT RECOMMENDED.

===========================================================================

Section 4.2 "Security Association Functionality" (changed in the rev 
to SA Functionality), paragraph 2 -- changed

     From:
	For example, both AH and ESP offer integrity and authentication
	services, but the coverage differs for each protocol and
	differs for transport vs. tunnel mode. If the integrity of an
	IPv4 option or IPv6 extension header must be protected en-route
	between sender and receiver, AH can provide this service,
	except for the mutable (non-predictable) parts of the IP or
	extension headers.....

     To:
	For example, both AH and ESP offer integrity and authentication
	services, but the coverage differs for each protocol and
	differs for transport vs. tunnel mode. If the integrity of an
	IPv4 option or IPv6 extension header must be protected en-route
	between sender and receiver, AH can provide this service,
	except for IP or extension headers that may change in a fashion
	not predictable by the sender....

===========================================================================

Section 4.4.1.2  "Structure of an SPD entry", 1st sentence -- Changed 
to indicate that the ASN.1 in Appendix C is an example, not normative.

     From:
	This section contains a prose description of an SPD entry.
	Also, an ASN.1 definition of an SPD entry is provided in
	Appendix C.

     To:
	This section contains a prose description of an SPD entry.
	Also, Appendix C provides an example of an ASN.1 definition
	of an SPD entry.

===========================================================================

Section 4.4.1.2 "Structure of an SPD entry", 2nd paragraph, 1st 
sentence -- Changed:

     From:
	This text describes the SPD in a fashion that maps directly
	into IKE payloads. One should not create SPD entries that
	cannot be mapped into something that IKE can negotiate.

     To:
	This text describes the SPD in a fashion that maps directly
	into IKE payloads to ensure that the policy required by SPD
	entries can be negotiated through IKE.

===========================================================================

Section 4.4.1.2 "Structure of an SPD entry", paragraph 3, bullet 1 -- Changed

     From:
	o Name -- a list of IDs.  This quasi-selector is optional.

     To:
	o Name -- a list of IDs.  This quasi-selector is optional.
	  The forms that MUST be supported are described above in
	  Section 4.4.1.1 under "Name".

===========================================================================

Section 4.5 SA and Key Management, first sentence -- Changed as follows

     From:
	IPsec mandates support for both manual and automated SA and
	cryptographic key management.

     To:
    	All IPsec implementations MUST support both manual and
	automated SA and cryptographic key management.

===========================================================================

Section 8.2.2 "PMTU Aging", paragraph 1 -- Changed as follows:

    From:
	In all IPsec implementations the PMTU associated with an
	SA MUST be "aged" and some mechanism is required to update
	the PMTU in a timely manner, especially for discovering if
	the PMTU is smaller than it should be,
     To:
	In all IPsec implementations the PMTU associated with an
	SA MUST be "aged" and some mechanism is required to update
	the PMTU in a timely manner, especially for discovering if
	the PMTU is smaller than required by current network conditions.

===========================================================================

Section 13. "Differences from RFC 2401" -- Changed as follows:

    From:
	o Support for AH in both IPv4 and IPv6 is now a MAY.

    To:
	o Support for AH in both IPv4 and IPv6 is no longer required.

    Deleted redundant bullet:
	o Text and an ASN.1 desription have been added to clarify
	  the structure of an SPD entry and its alignment with what
	  can be negotiated in IKEv2.

===========================================================================

Appendix C -- ASN.1 for an SPD Entry -- made about a dozen 
corrections and changes.  It should compile.  Let me know if you want 
the details.