[Babel-users] Babel authentication I-D version 05

[Juliusz Chroboczek]

Dear Dennis,

> the next (05) revision of the Babel authentication I-D is available at: http://tools.ietf.org/html/draft-ovsienko-babel-hmac-authentication-05

I had read a previous version of your draft, but I've now started
a very careful read of -05, reading every single comma and picking as
many nits as I can.  Unfortunately, I've been interrupted at page 14
by other stuff (as in student exams and plumber visits).  Since
I won't have time before the week-end to resume my read, here's
a summary of what I think right now.

The document (or at least the first 14 pages) is beautifully written
and very clear -- whenever I had a question, I found out it was
answered immediately after it occurred to me.  I have a number of
minor rewordings to suggest to you, but they're really not that
important.

On the other hand, there is one point that I strongly disagree with (1),
and one point that I don't understand (2).

1. In Section 3.1, you say that the default value of RxAuthRequired
MUST be TRUE.  I strongly disagree with that -- this requirement is
going to be disregarded by most implementations if you keep it a MUST.

I think that the default value SHOULD be TRUE if there are any CSAs
configured, and FALSE otherwise.  I'm pretty sure about the SHOULD --
there are perfectly legitimate reasons to sign the packets you send
but promiscuously accept any packets you hear.

2. In Section 2.1, you specify two distinct hash algorithms as
mandatory-to-implement: RIPEMD-160 and SHA-1.  Not being a crypto
specialist myself, I would have expected just one mandatory-to-implement
algorithm.  I'd appreciate it if you could clarify why you need two.

Thanks again for your work,

-- Juliusz