Re: New last call for PIC

[Bernard Aboba <aboba@xxxxxxxxxxxxx>]

Some comments:

Section 4.2 does not seem to reflect the addition of TCP transport
support. The discussion should therefore be prefaced with a statement such
as "For PIC operating over UDP..."

Since there was a concern expressed about RST attacks, it might be worth
considering whether there is a way to protect the TCP session using the
TCP MD5 option (RFC 2385). Prior to the key exchange, this is not
possible, but afterward a "session authentication key" could be derived
and used for this purpose. Just a thought.

As for the NAT issues, while it is probably not appropriate to
incorporate the NAT/IKE functionality at the moment, some important things
have been learned from the testing that has been done. One of these is
that NATs typically cannot handle fragments; another is that NATs
frequently de-multiplex packets sent to port 501, using the IKE
cookies. So rather than saying that "PIC temporarily uses port 501" I
would say "PIC uses port <TBD> both for TCP and UDP", just so people don't
get confused. 

On Wed, 28 Nov 2001, Paul Hoffman / VPNC wrote:

> 
> Greetings again. The PIC authors have revised their document and 
> their protocol; it is available at 
> <http://www.ietf.org/internet-drafts/draft-ietf-ipsra-pic-04.txt>.
> 
> Please read the document carefully again, particularly the protocol 
> changes. Make any comments on the document to the WG mailing list 
> soon so that we can discuss the comments fully.
> 
> If there is rough consensus that the document is good, we'll pass it 
> to the IESG in three weeks (December 19). If there is not rough 
> consensus, we'll do another round on the document and another last 
> call.
> 
> --Paul Hoffman, Director
> --VPN Consortium
>