Get documents about "FC-SP Letter ballot comments - Excel
Shared by: linzhengnd
-
Stats
- views:
- 19
- posted:
- 12/19/2011
- language:
- English
- pages:
- 169
Document Sample
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-24 T 5 3.2.23 A secret is a value that is not disclosed to Proposed wording: Accepted the comment that secret needs
anybody according to this definition. The "Secret: A value that is kept to be better defined. See Qlogic-01.
definition may be a little too glib. If the hidden from any person or device
secret is administratively established, it is that may constitute a threat to the
known to all the administrators, at least. security of a communication."
This definitions should be tightened up.
Emulex-002 T 6 3.3 Since this standard uses byte lists to specify Add somewhere in 3.3 Rejected. Action item to Bob Nixon to
structures, it is important to emphasize the Structures in this standard are prepare a proposal for this. Action
order of transmission (FC-FS hides its rules specified as lists of bytes. Within completed with no consequences for FC-
well, and they are specified with respect to any multibyte field, the first byte SP.
structures of words, as are the structures in contains the highest order 8 bits of
FC-LS.) the field, and successive bytes are
successively lower order 8 bits of
the field. Fields with values that do
not require the full size of the field
shall be extended with high-order
zero bits.
QLogic-01 T 9 4.1 protocols to set up secret keys? Needs to be more specific of what Accepted in principle.
type of keys. Add references to the sections of the
standard where things are defined.
Add some definitions in the definition
section for the following terms:
- secret: the parameter used by DH-
CHAP to perform authentication;
- certificate: the parameter used by
FCAP to perform authentication;
- password: the parameter used by
FCPAP to perform authentication;
- key: the shared parameter generated
after an authentication transaction.
Verify that the above terms are used
consistently across the entire document.
Emulex-003 T 9 4.3 The last sentence on page 9 suggests that Remove the last sentence on Accepted.
this standard supports use of digital page 9.
signatures, and that this feature is unique to
certificate-based environments. This
standard in fact says very little about digital
signature, and what it says is not limited to
certificate-based infrastructure;however, it is
limited to policy distribution.
Page 1 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-25 T 9 4.3 What is a Security Association and how is it Add a section describing Security Accepted in principle. Add references
used? Associations. and a definition in the definition section
for Security Association.
Emulex-004 T 10 4.4 The first paragraph of 4.4 summarizes In the first paragraph of 4.4, Accepted. Add definitions in the definition
authentication support, but makes no change section for Device and Bridge.
mention of Bridge to Switch connections Authentication is defined for
(see 5.8). Switch-to-Switch, Device-to-
Switch, and Device-to-Device
to
Authentication is defined for
Switch-to-Switch, Bridge-to-
Switch, Device-to-Switch, and
Device-to-Device.
EMC-8 T 10 Figure 1 The green SA paths provide fundamentally This needs to be explained here at Accepted. Action to me to propose a
weaker security than the blue paths, with the a minimum, and I'd like to see a note.
possible exception of FCPAP. This is due to "should" for the blue paths vs. the
the possibility of DOS attacks and potential green paths. Also a statement
protocol weaknesses by comparison to should be added here that CHAP
IKEv2. cannot generate the keying
material required for SA
establishment
McDATA-27 T 10 Figure 1 Can they negotiate to not authenticate? The answer is no. Don’t authenticate if
you don’t want!
McDATA-26 T 10 first There is no mention of using IKEv2 as a Add reference to IKEV2 Accepted. Add a reference to 6.7.2.
paragraph standalone protocol for authentication, authentication.
although it is a fourth option shown in 4.4.
McDATA-31 T 11 4.5 There's no clear definition of SA here. In IP Move 4.5 to 4.7 clause and more Accepted in principle. Move 4.7
world, IKE establishes SA dynamically but completely define SA and SPD. immediately after 4.5. Add in 4.5
SA can also be defined by security policy references to chapter 6. Add a definition
statically. It's not clear whether it's true in in the definition section for SPD. Add in
FC since there's no definition of security 4.7 more details on the SPD properties.
policy. Action to me and Fabio to prepare a
proposal. Consider renaming the SPD as
SAD (Security Associations Database).
Brocade-47 T 11 4.6.1 "e) A set of Attribute Objects. Fabric-wide This may be correct, but if so it Accepted in principle. Add a reference to
Objects that define optional attributes to be needs to be rewritten so that it the appropriate section in each of the
associated does not appear to allow an items.
with Switches or Devices." seems a bit self- attribute to be associated with just
contradicting. Shouldn't these attribute one device or switch.
objects be particular to the space where
they associated. As an example, could one
switch have an attribute object and another
not?
Page 2 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-9 T 11 4.6.1 Policy comparison based on hash values Add unique policy identifiers. Partially accepted. A unique identifier is
alone is risky not always welcome, because it prevents
a management model in which policies
are generated independently. But when
they are generated centrally and then
downloaded to all involved Switches,
then a unique identifier may be useful.
Action to David to propose an optional
unique identifier based on DCE 1.1
UUIDs. This is a possible addition to the
Policy Summary Object.
Emulex-005 T 11 4.6.1 In the last paragraph of 4.6.1 is the In the last paragraph of 4.6.1 Accepted.
statement change
Each Policy Object may be summarized in a Each Policy Object may be
hash value. summarized in a hash value
Is this optional? to
Each Policy Object is summarized
in a hash value
EMC-11 T 12 4.7 "A similar model" for CT_Authentication is Either CT_Authentication uses the Accepted. Action to me and Fabio to
not sufficient same model, or the differences prepare a proposal detailing better the
are fully specified, or a separate CT_Authentication case. Progress in GS-
diagram for a new model is 5 is also needed.
inserted.
EMC-12 T 12 4.7 Can CT Authentication use the SPD? CT_Authentication is specified The answer is yes. See EMC-11.
elsewhere. If its functionality is
being changed to be driven by the
FC SPC, that has to be stated
explicitly.
McDATA-38 T 12 4.6.2 Is the intent to allow for additional switch Suggestion: Add a Note indicating Rejected. Add appropriate references to
types in the future or to just modify the the intention is to allow each item.
definitions of these switch types? A rigid adjustments of these definitions in
definition for "types of switches" makes it the future when other policy or
difficult to modify or extend in the future. For policy protocol may be defined.
example, one proposal was shown that
would allow other information to be This may require a way for devices
potentially gathered by Client switches in the to advertise their level of support.
future. How would that be handled in a FC
SP 2?
McDATA-43 T 12 4.6.3 Reauthentication can happen at any time - Add a new sentence describing Rejected. Add appropriate reference.
not just when a connection is attempted. policy enforcement can happen at
any time for reauthentication
purposes or add another clause to
the first sentence.
Page 3 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-20 T 12 4.6.3 p1,s2 The appropriate Policy Objects need The appropriate Policy Objects Partially accepted. Change to "The
to be checked to determine whether the shall be checked to determine appropriate Policy Objects are checked
requested connection or access is to be whether the requested connection to determine whether the requested
allowed or denied. or access is to be allowed or connection or access is to be allowed or
denied. denied."
EMC-10 T 12 4.6.4 Policy summary object exchange uses Add unique policy identifiers. See EMC-9
compare by hash.
CNT-21 T 12 4.6.4 p1,s1 When two Switches join they need to ensure When two switches join, they shall Partially accepted. Change to "When two
that their enforced policy configurations are ensure their enforced policy Switches join they ensure that their
the same. configurations are the same. enforced policy configurations are the
same."
McDATA-40 T 12 Figure 2 Doesn't show CT Authentication model. Create similar figure for CT See EMC-11.
Authentication.
McDATA-42 T 12 Figure 2 SPD details needed. What are the required Define the interface and behaviors See McDATA-31.
interoperable behaviors of an SPD? Where required to the SPD and the policy
is the interface to the SPD defined in this for setting an SPD in an
standard? interoperable fabric-wide fashion.
Brocade-50 T 13 4.7 The text indicates that frames not matching This is actually a question, but a Partially accepted. No issues on the
an SPD selector are transformed, but the text clarification may be desirable egress processing. On the ingress
remaining frames are passed through to indicate that both unmatched processing, clarify that if n FC-4 want to
untransformed. I would have thought that threatening frames and process only verified frames it should add
would allow prohibited frames to circulate unmatched permitted but insecure to the SPD a "catch-all" entry specifying
within the fabric and possibly attack it. I frames are transferred to the to discard the unverified frames.
would have expected that those that came appropriate level.
in without a selector match would have been
discarded. Of course a default selector
match for allowed insecure communications
would also be defined.
McDATA-47 T 13 last sentence This should also be explained better in a add a new section on Security See McDATA-31.
of first new section describing Security Associations and discuss traffic
paragraph Associations. selectors.
CNT-29 T 15 5.1 p5,s3 No more than one transaction of an Clarify Between the same two entities.
Authentication protocol shall be in progress
between two entities at a time.
Does this mean between any two entities or
between the same two entities?
Page 4 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-49 T 15 first sentence This first sentence seems to conflict with Change first sentence to: For the Partially accepted. Change "Any Fibre
below Figure other clauses of the document. For initial connection there are rules Channel entity may" to "The
3 example, 5.9.5 that says an Nx_Port is for when Fibre Channel entities act Authentication protocols allow any Fibre
always the sender of AUTH_Negotiate. as Authentication Initiator or Channel entity to".
Authentication Responder. See
5.9.5 for Nx_port rules. See 5.7.1
for E_Port tie-breaking rules. See
5.8.1 for B_Port rules. Thereafter,
for re-authentication, any Fibre
Channel entity may act as an
Authentication Initiator or as an
Authentication Responder.
McDATA-50 T 16 close What does it mean to "close The range of appropriate actions Partially accepted. Action for me to
communicati communication"? These states and should be described in a section. propose a definition for "close
on standards should be consistent across If it is, then refer to that section. communication" in the definitions section.
multiple standards. Why is the disabled port state not
mentioned in this standard?
Invalid attachment is only
mentioned in Appendix D. Do a
global change to close
communications to reference the
new section. Identify either the
Invalid attachment or disabled
state for the purpose of "close
communication".
Emulex-007 T 18 5.4.2.1 Table 18 specifies an order for the The answer is yes. Keep as is.
parameters in a DH-CHAP Protocol
Parameters structure. Given the
parameters are all TLV structures, is there a
reason for this? (Same question for FCAP
and FCPAP.)
Page 5 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Cisco-01 T 19 5.2.4 Table 9 should include a vendor specific Include in Table 9 a vendor Reserve range 01..09 for legacy
AUTH message specific message code implementations. Assign range F0h..FEh
for vendor specific usage. The Message
Payload for vendor specific messages
shall be composed by the T10 Vendor-ID
followed by vendor specific information.
Assign range F0h..FEh of
AUTH_Negotiate protocol identifiers to
identify vendor specific protocols. The
AUTH_Negotiate protocol parameters
shall begin with the T10 Vendor-ID
followed by vendor specific information.
Support for vendor specific extensions
shall not be mandatory. A system shall
operate correctly when all vendor specific
extensions are rejected.
Emulex-008 T 19 5.2.4 In the description of the Message Length In the description of the Message Accepted. Change to "Message
field, the undefined term "command Length field in 5.2.4, change Payload".
dependent portion" is used. "command dependent portion" to
"Message Payload field".
Emulex-009 T 19 5.2.4 In the description of the Transaction In the description of the Accepted.
Identifier field, the statement "each Transaction Identifier field in 5.2.4,
subsequent Authentication message shall change
contain the same value" would prevent each subsequent Authentication
conducting concurrent authentication message shall contain the same
transactions with different entities. value
to
each subsequent Authentication
message between the same two
entities shall contain the same
value
McDATA-57 T 19 Message The "command dependent portion" clause is Change it to read "Message Accepted. See Emulex-008.
Length somewhat confusing. Payload".
McDATA-59 T 20 5.3.1 his wording is confusing. An Auth Maybe the wording should be "and Accepted in concept. Remove "with an
transaction is also terminated after the last may be abnormally terminated error indication" and add the successful
success frame is received. with an error indication by:" case in the itemized list.
McDATA-61 T 21 5.3.4 Simply configuring a secret will not cause Remove the last sentence in the Rejected. The parentesis explain an
the Responder to be able to use a different parenthesis. example.
protocol.
McDATA-62 T 21 Figure 4 No Usable Protocols' doesn't exist in table Change to 'Authentication Accepted.
14 as a valid explanation. Mechanism Not Usable'.
Page 6 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Veritas-8 T 21 Table 11 The note in this table sounds suspiciously Add sentence "The IEEE Accepted in principle. Change "is not
like a requirement. If so, it should be in the Registered Extended supported" in "shall not be used", but
text. Name_Identifier (NAA=6h) shall keep as a footnote.
not be used."
McDATA-64 T 22 Table 14 Change "hash function" to "Hash Function". Accepted.
McDATA-63 T 22 Table 15 See document 04-394v0 for suggestions Adopt changes from 04-394v0. Partially rejected. Clarified code 02/09 as
related to Table 15 and Reason Code "When the continuation_flag is set in
Explanation 09h. AUTH_Negotiate, the Authentication
Initiator REQUIRES continuation. If the
Authentication Responder does not
support continuation, a 02/09
AUTH_Reject shall be returned. The
Authentication Initiator may restart the
Authentication Transaction with no
continuation, if it is appropriate to do so.
If the Authentication Responder supports
continuation, the continuation_flag shall
be set to one in all subsequent
messages. Failure to satisfy this
requirement results in an AUTH_Reject
01/07.
If the continuation_flag is set to one
outside these conditions, an
AUTH_Reject 01/07 shall be returned.
(editor to make it editorially correct)."
Add Reason code explanation
'Unsupported Protocol Revision' as '01'
Reason Code.
CNT-44 T 23 table 16 AUTH_Done Message Payload Remove the table. Accepted. Change the last sentence in
Why does a NULL/zero length payload need "The AUTH_Done message has no
to be specified? Message Payload."
EMC-18 T 24 5.4.1 "If DH-CHAP with a NULL DH algorithm is Delete "If ... and", and explain the Accepted. Change the sentence to "Two
used and the assigned secrets are not vulnerability - whenever two entities may impersonate one another if
different for each entity, the configuration is entities have the same secret, they they have the same secret, therefore if
not secure." is incorrect. can freely impersonate one the assigned secrets are not different for
another. each entity there is a security
vulnerability."
Page 7 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-20 T 24 5.4.1 When the DH group is not null, DH-CHAP is Describe the DOS attack. Accepted. Add "Add "When the DH
vulnerable to a DOS attack because the group is not null, DH-CHAP is vulnerable
attacker can cause the responder to to a denial of service attack if the
compute g^x mod p without the attacker attacker initiates concurrent
engaging in any exponentiation. A Reject authentication from a sufficient number of
with Logical Busy does not help. different S_IDs, because the attacker
may cause the responder to compute g^x
mod p without the attacker engaging in
any exponentiation.
This vulnerability is not present in the
cases of E_Port to E_Port authentication,
E_Port to B_Port authentication and
N_Port to F_Port authentication because
S_ID and D_ID have fixed values. For
N_Port to N_Port authentication the fact
that a Port Login is required before
performing authentication requires the
attacker to be able to respond from any
S_ID used to mount the attack.
Implementations that may exhibit non-
responsive behavior under overload
should limit the number of simultaneous
authentication computations by using the
'Logical Busy' AUTH_Reject."
Editor job: find the right place for this
sentences, they are not specific to DH-
CHAP. 6.8.5 may be a good place, or
reference the place from 6.8.5.
EMC-21 T 24 5.4.1 When a weak secret (e.g., password) is Require a strong secret or require Open. Both proposed solutions are
used with a NULL DH group, DH-CHAP is support for the 1536 bit DH group possible, a bigger group is needed to
vulnerable to a passive dictionary attack. in addition to the NULL DH group. take a decision. Action to David to
present to the group the language iSCSI
chose to solve this issue. Closed by
David document revied and edited on
12/8/2004.
McDATA-69 T 25 Note 3 I don't understand this note. The first If the AUTH initiator prefers other Rejected. The purpose of the note is to
sentence in this note and also 3rd paragraph protocols, those should be listed state that the administrator of a fabric is
in section 5.4.1 implies supporting DH- first and the DH-CHAP with NULL responsible to choose the security
CHAP with NULL DH is mandatory. How DH listed last. properties of the fabric, and so he may
can you then not include it in the AUTH Neg decide to not use at all the NULL DH-
command? CHAP.
McDATA-71 T 26 5) last Authentication responder s/b 'Authentication Accepted.
sentence Initiator'
Page 8 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-52 T 26 5.4.1, Note 4 Note 4 is already contained in steps 4 and 5. Replace note 4 with: Rejected. Change note 4 to "The DH-
The clarification may be required that step 4 "Authentication is complete after CHAP protocol does not use the
(or if bi-directional Authentication is required, step 4 above is executed. AUTH_Done message."
step 5) is complete, but that should be in Optional bi-directional
text, not a note. authentication is complete after
step 5 above is executed."
Alternatively, the corresponding
step should have a final sentence
added as follows:
In step 4: "If bi-directional
authentication is not required,
authentication is complete."
In step 5: "Bi-directional
authentication is complete.
McDATA-72 T 26 first sentence Is the "and" at the end of the sentence Yes. Itemized list.
suppose to be there?
McDATA-75 T 27 Note 5 If different hash functions are required to be Rejected. See McDATA-69
used shouldn't they be listed first? This note
is stating in certain environments you aren't
required to follow the standard.
Page 9 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-23 T 28 Table 22 Need more DH groups 2048 bits as the largest usable Accepted in principle. Add by reference
group is insufficient. Add larger to RFC 3526. Action to the editor. In
mod-p groups from RFC 3526. addition to RFC 3526 more is needed,
because SRP requires a different
generator on bigger DH groups. What is
needed is Appendix A of RFC 3723 with
the 768 group omitted. These groups are
not for IKE. This is the text: " In addition
to these groups, the following groups
MAY be supported,
each of which has also been rigorously
proven to be prime:
[1] iSCSI Key="MODP-3072": the 3072-
bit [RFC3526] group, generator:
5
[2] iSCSI Key="MODP-4096": the 4096-
bit [RFC3526] group, generator:
5
[3] iSCSI Key="MODP-6144": the 6144-
bit [RFC3526] group, generator:
5
[4] iSCSI Key="MODP-8192": the 8192-
bit [RFC3526] group, generator:
19"
Add a note to table 22 telling that these
groups and group identifiers are used
only by the authentication protocol in
Chapter 5, and are different than those
used by IKE. IKE in chapter 6 uses
different groups and group identifiers,
listed in table 73.
Brocade-54 T 29 5.4.3 Only two challenge lengths are valid. All "A Challenge Length Value of zero Accepted in principle. Add a column
others (including zero) should cause an is illegal" s/b "Any other Challenge "hash length" in table 22. Change "This
invalid indication Length Value, including zero, is length shall be a multiple of 4. For the
illegal." MD5 hash function, the length shall be
16 bytes. For the SHA-1 hash function
the length shall be 20 bytes. A challenge
Value Length of zero is illegal. If the
Challenge Value Length is set to zero" to
"This length shall be the value specified
in table 22 for the selected hash
identifier. If the Challenge Value Length
does not match the value specified in
table 22"
Page 10 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-55 T 29 5.4.3 Should references be provided for proper Provide recommended reference. Add to the challenge value paragraph:
creation of random value? "(see B.1.2)"
EMC-24 T 29 5.4.3 "repetition of a challenge value in The transaction ID provides some Accepted. Change "permit an attacker to
conjunction with the same secret protection against this, and the DH reply with a previously intercepted
would permit an attacker to reply with a exponentials provide a lot of response" to "may reveal information
previously intercepted response." is protection when used properly. about the secret or the correct response
incorrect Nonetheless, the recommendation to this challenge".
is correct, but it needs a correct
explanation.
McDATA-76 T 29 Challenge Specify what error reason code (RC/E) to See Brocade-54
Value Length use if length != 0 and != 16 or 20.
McDATA-77 T 29 DH Value Sepcify what RC/E to use if length % 4 != 0. See Brocade-54
Length
McDATA-80 T 30 DH Value Which RC/E to use if not? See Brocade-54
Length
McDATA-79 T 30 Response Which RC/E to use if not? See Brocade-54
Value Length
EMC-25 T 31 5.4.4 "repetition of a challenge value in The transaction ID provides some See EMC-24
conjunction with the same secret protection against this, and the DH
would permit an attacker to reply with a exponentials provide a lot of
previously intercepted response." is protection when used properly.
incorrect Nonetheless, the recommendation
is correct, but it needs a correct
explanation.
McDATA-83 T 31 Challenge C1 s/b C2 Accepted.
Value
McDATA-81 T 31 Challenge Which RC/E to use if not? See Brocade-54
Value Length
McDATA-82 T 31 Response General: Many places in the document have Suggest searching for the word See Brocade-54. Apply to the other
Value Length omissions about what to do if the value says "shall" throughout the document situations in the document.
it shall be such and such value(s). Specify and determine if values are not
which Error Codes and Explanation (RC/E) those specified whether the error
codes should be used or not in all cases? condition is adequately defined.
McDATA-84 T 31 Response to the first part of the sentence, add "or Accepted.
Value Length when sent from the Authentication Initiator
to the Responder".
EMC-26 T 32 5.4.6 Using DH-CHAP to key IKEv2 exposes Recommend that IKEv2 be used See EMC-8. Accept the
IKEv2 to any DH-CHAP weaknesses; see directly when this is a concern. recommendation.
EMC comment 8. This also applies to FCAP and
FCPAP.
Page 11 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-27 T 32 5.4.6 No explicit prohibition on trying to key IKEv2 Prohibit any use of any material Accepted. Add "When the DH group
from CHAP derived from the DH-CHAP used in the DH-CHAP transaction is null,
exchange for keying IKEv2 when the results from the DH-CHAP
the DH group is null. transaction shall not be used to generate
a session key Ks for IKE."
EMC-28 T 32 5.4.6 No length given for K sub S; this is needed Say that the size of K sub S is the Add "The size of the session key Ks is
to specify IKEv2 behavior. output size of the hash function ... determined by the selected hash
no this is not as obvious as it may function, as shown in table 21." Change
appear - padding for convenience in the first sentence of the second
has to be disallowed. paragraph "the hash" with " the complete
hash, with no padding,".
EMC-29 T 33 5.5.1 No mention that private keys need to be FCAP requires a digital certificate, Accepted. Add "and the private/public
provided in intro text and the private key that key pair that corresponds to the
corresponds to the certificate be certificate"
provided to a node that wishes to
authenticate.
McDATA-85 T 33 Figure 6 The way this is laid out almost implies the Change the drawing so the Accepted.
AUTH_Done is sent when the signature AUTH_Done and Calculate Key
verification fails. arrows originate at the same point.
McDATA-89 T 34 2) Define nonce. Accepted. Add a definition in the
definition section.
McDATA-86 T 34 3) and 4) How verification is performed needs to be Open. Possibly add a reference to a
explicitly called out in both paragraphs 3) document describing certificate
and 4) or a reference added to the section manipulation. Action to Steve to detail
that does explicitly detail the algorithm. the certificate verification processing.
Brocade-57 T 35 5.5.1 The session key example in 5.5.1, steps 4 Correct steps 4 and 5 by deleting Accepted.
and 5, is developed using an example of the formula and instead
g**xy mod p. The session key is actually referencing 5.5.6 for the definition
specified in 5.5.6 as the Hash of that value. of the session key. As an
example:
"session Key Ks (i.e. g**xy mod
p)." s/b "session Key Ks (see
5.5.6)."
EMC-34 T 36 Table 30 Use same hash identifiers throughout. FCAP should not define its own Accepted. Consider making table 21 and
hash identifiers. Refer to table 21 22 generic for all three protocols. Prohibit
instead, but it's ok to disallow use use of MD5 with FCAP and FCPAP. Set
of MD5 with FCAP. to 6 the identifier for SHA-1 for both
FCAP and FCPAP.
EMC-35 T 38 5.5.3.2 Defining a new certificate format is not a Allow reuse of certificates in Open. Steve to verify that is possible to
good idea. This defines a new certificate standard formats available from get these certificates from CAs.
format that cannot be obtained from any CAs and standard CA software.
existing commercial certificate authorities
and probably requires customization of CA
software in order to issue them.
Page 12 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-36 T 38 5.5.3.2 Certificate format spec insufficient; X.509v3 Much tighter constraints are Open. Action to Steve to determine how
is notorious for interoperability problems. needed on certificate format. I to reference RFC 3280 for the certificate
suggest referencing appropriate format.
portions of RFC 3280.
McDATA-92 T 38 FCAP a) If a unique FCAP certificate type is Complete the definition. Open. See EMC-36 (a, c), EMC-35 (b),
General and defined - it should be coordinated with IETF. and EMC-39 (d).
Table 33 b) For interoperability, there should be a
statement about what existing CA root
certificate SHALL be supported OR
there should be something added to
specify an interoperable CA certificate that
shall be supported.
c) The complete definition of the FCAP
Certificate data structure should be spelled
out, including how ALL fields are to be filled
in the certificate OR an existing certificate
type should be adopted instead of creating a
special one for FCAP.
d) For improved interoperability, it would be
desirable to define a mechanism for
distributing the CA information.
McDATA-93 T 38 FCAP X.509 This data construct should be shown as a Open. See EMC-36 as RFC 3280 might
Certificate table, indicating the order, size, etc... of all resolve a lot of this.
Value fields as is done in all FC standards. AND
add reference to the X.509 document.
McDATA-94 T 38 FCAP X.509 The use of letters in this list, imply that the Create entire certificate data Open. See EMC-36.
Certificate order of the data is not important. I don't structure with all fields specified.
Value a), b) think that is true. What is the order, etc. of
etc. something called Subject Distinguished
Name? Where is the exact data structure
defined.
McDATA-97 T 39 Authenticatio 'Responder' should be 'Initiator'. Accepted.
n Initiator
Nonce
McDATA-95 T 39 Nonce Value As written is not useful. Say "Contains a Accepted. Change to "Contains a
random value of the type shown in Table random value of the type shown in Table
35". Are there important notes that should 35". See EMC-33.
be added about the randomness of the
value also? Suggest using verbage similar
to verbage found about the Challenge Value
in DHCHAP.
Page 13 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-96 T 39 Table 36 There is no easy way to tell what the proper The length for the nonce is specified in
lengths for the Nonce and Certificate should table 35. For the certificate EMC-36 has
be, without a crisper rendition of them in a to be resolved first. Open.
table, calling out all optional and/or
mandatory fields to be included in an FCAP
Type of certificate.
Clearly define or put an exact reference to
an appropriate document.
EMC-37 T 40 5.5.4.2 Signature specification is wrong - the DH Correct the specification of RSA- Accepted. Change the text of "RSA-
value must also be signed, as per the SHA1-Signature-Value to require SHA1 signature value" with "The RSA-
summary in 5.5.1. signing the DH value in addition to SHA1 signature is generated by
the nonce. computing the concatenation of the
nonce with the Diffie-Hellmann
parameter gy mod p, then applying the
SHA-1 hash function to the concatenated
quantity, then by encrypting the hash with
the RSA private key of the sending entity
(see RFC 3279)." The relevant section of
RFC 3279 is 2.2.1.
Emulex-010 T 40 5.5.4.2 The description of the RSA-SHA1 Signature Correct the description of the RSA- Partially accepted. See EMC-37.
Value is incomplete, by comparison with SHA1 Signature Value in 5.5.4.2
5.5.1 ordered list items 3 and 4, and there to match those in 5.5.1 ordered list
seems to be no reference for RSA items 3 and 4. Add RSA-SHA1 to
encryption in FC-SP. As 5.5.4.2 contains the the acronym directory with a
primary specification, it should be reference document.
mathematically complete, including the
necessary references.
McDATA-99 T 40 Table 38 Is RSA-SHA1 the same as SHA1 or Be consistent when specifying Accepted. See EMC-37.
different? Not consistent with hash function hashes throughout the document
references elsewhere in the document. and add reference to where
Better to add a reference to where one can algorithm being used is specifically
find the spec. for RSA-SHA1. defined.
EMC-38 T 41 5.5.6 No length given for K sub S; this is needed Say that the size of K sub S is the See EMC-28. Apply the resolution to this
to specify IKEv2 behavior. output size of the hash function ... section.
no this is not as obvious as it may
appear - padding for convenience
has to be disallowed.
EMC-43 T 42 5.6.1 Are both unique and shared verifier modes Simplify by using one mode. Accepted. Remove the unique verifier
needed for FCPAP? Shared verifier results in more mode and keep only the shared verifier
scalable configuration. mode. Action to editor.
Page 14 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-45 T 42 5.6.1 Explain computation of verifiers The protocol computations don't Rejected. The computation is explained
make sense unless one knows in second paragraph of section 5.6.1.
how the verifiers are constructed.
Explain how the verifier is
constructed from the salt, name
and password.
Emulex-011 T 42 5.6.1 At the end of the second paragraph in 5.6.1, Specify these constraints in the Partially accepted. Only shared verifier
it is specified "The hash function and the DH descriptions of unique and shared mode survives. Clarify that the hash
group chosen to compute the verifier shall verifier operation; or else make the function, DH group and modulus are all
be those used during the Authentication hash function, group generator, administratively configured, and that the
transaction". This has side effects for and group modulus all hash function and DH group are checked
bidirectional authentication that are not administratively configured, which rather than negotiated. In a sense, they
specified: For operation with unique removes the issue. become a Fabric property. If two fabrics
verifiers, the computations of the verifiers configured with different parameters tries
used between entity A and entity B both to merge, the merge will fail because the
must use the same hash function, authentication fails with a reason code of
generator, and modulus for bidi auth. For "hash function not usable" or "dh group
operation with shared verifiers, the not usable". If a list is offered, this means
computations of all verifiers must use the that the initiator has a verifier for each of
same hash function, generator, and the offered possibilities. This avoid the
modulus for bidi auth. "flag day": to change the hash or the DH
group, first add the new verifiers, then
remove the old ones. Action to the editor
to flash out all of this!!!
Emulex-012 T 42 5.6.1 In the description of shared verifier mode, it Remove the qualification for bidi Add a sentence stating that unique
is claimed that a double SRP transaction is auth from the description of shared verifiers are secret, while shared verifiers
needed for bidirectional authentication. This verifier mode, and restate it in or are public, in table 40.
is also true for unique verifiers, since in table near the first paragraph of 5.6.1
40, the verifiers (unique or shared) are not
noted as secret.
McDATA-102 T 42 FCPAP It appears it is important to know, for the Rejected. Only one mode survives. See
General protocol operations, which mode of EMC-43.
operation is being used, yet I can't find a
management interface that sets the mode
policy.
Define a management interface that
supports the FCPAP mode setting and
exchanges the policy between switches.
EMC-47 T 42 Figure 7 Shared verifier mode initiator computation is v sub z = g ^ x sub z This is Accepted.
wrong: v sub z = g ^ a sub z correct in the text, step 3) B), but
wrong in the figure.
Page 15 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-48 T 42 Figure 7 Shared verifier mode responder Should be 3 * v sub y + A sub z Accepted, this is what is stated in the
computation is wrong: B sub y = v sub y + A text.
sub z
EMC-49 T 42 Figure 7 Responder blinding calculation for B sub y is Remove B sub y. Restate Rejected. The math is correct as is, but
pointless as 3 * v sub y is added to A sub z computation of S sub y as S sub add a clarifying note to explain the
then immediately subtracted. y= (A sub z) ^ (a sub y + u x sub y) notation.
. Alternatively, calculate B sub y =
3 * v sub y + A sub z at Initiator
and pass to responder, removing
B sub y calculation at responder,
and use B sub y instead of A sub z
in calculation of u at both initiator
and responder
McDATA-103 T 42 paragraph If FCPAP is supported, which mode shall be Overtaken by events. Only shared mode
below table supported for interoperability? survives. See EMC-43.
Add a statement about which mode is
optional to support if supporting FCPAP.
Emulex-013 T 43 5.6.1 In the last paragraph on page 43, the value In the last paragraph on page 43, Partially accepted. Remove the offending
"n" is described "a large prime number n is change paragraph.
chosen ahead of time". This is insufficiently
specific. Other definitions of n elsewhere are a large prime number n is chosen
better, but this could be interpreted as a ahead of time, and all additions,
different n. multiplications, and
exponentiations are performed
modulo n
to
all additions, multiplications, and
exponentiations are performed
modulo n, where n is the modulus
of the selected Diffie-Hellman
group
Emulex-014 T 43 5.6.1 Figure 7 and the ordered list that follows Rejected.
distinguish between "unique" and "shared"
modes. It seems to me that the distinction
really is "unidirectional" versus
"bidirectional". Regardless of unique/shared,
the supposed unique path only
authenticates the initiator, while the
supposed shared path authenticates both.
Page 16 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Emulex-015 T 43 5.6.1 There is a discrepancy between figure 7 and Remove the second equation for Rejected. See EMC-47.
5.6.1 list item 3 sublist item B on the second the authentication initiator for
equation for the shared verifier mode "shared verifier mode" from figure
compution for the authentication initiator. 7 and from 5.6.1 list item 3 sublist
The list is correct. item B
Given this, the equation is extraneous, since
according to table 40, the verifiers are
administratively configured and not secret.
Emulex-016 T 43 5.6.1 In figure 7 (and the text that follows), it is Wherever necessary, remove the Rejected.
shown that the FCPAP_Init message carries salt value from the FCPAP_Init
the authentication initiator's salt value. This message.
is extraneous, since table 40 shows that it is
administratively configured and not secret.
Emulex-017 T 43 5.6.1 In figure 7 (and the text that follows), it is Wherever necessary, replace the Rejected.
shown that the FCPAP_Accept message salt value in the FCPAP_Accept
carries the authentication responder's salt message with either a shared
value. This is extraneous, since table 40 verifier flag or a bidi authentication
shows that it is administratively configured flag, whichever turns out to be
and not secret. A simple flag would be correct.
sufficient to trigger shared verifier (or is it
bidi aut?) mode.
Emulex-018 T 43 5.6.1 The third equation for the authentication Remove the third equation for the Rejected.
responder for "shared verifier mode" from authentication responder for
figure 7 and from 5.6.1 list item 4 sublist "shared verifier mode" from figure
item B is extraneous, since the verifier it 7 and from 5.6.1 list item 4 sublist
computes is described in table 40 as item B
administratively configured and not secret.
EMC-46 T 44 5.6.1 No explanation of how to determine whether Add the missing explanation. See McDATA-102.
unique or shared verifier mode is in use
Page 17 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Emulex-020 T 44 5.6.1 Since the ordered list on page 44 is the In list item 1 on page 44, change Closed by Emulex-11.
primary specification of FCPAP, it should
include the requirement that the Diffie and the list of Diffie-Hellman
Hellman group parameters in the Group Identifiers that may be used
AUTH_Negotiate are those used to generate (see 5.4.2).
the verifier.
to
and the list of Diffie-Hellman
Group Identifiers that may be used
(see 5.4.2). The list of hash
functions shall include only the
hash function used to generate the
verifier(s) used between the
Authentication Initiator and the
Authentication responder. The list
of Diffie-Hellman group identifiers
shall contain only the Diffie-
Hellman Group Identifier for the
Diffe-Hellman Group whose
parameters were used to generate
the verifier(s) used between the
Authentication Initiator and the
Authentication responder.
In list item 2, delete "selected
among the ones".
In 5.6.2.2 and 5.6.2.3, correct the
descriptions to require single-item
lists that contain only the item
relevant to verifier computation.
EMC-51 T 46 Table 44 Use same hash identifiers throughout. FCPAP should not define its own Accepted. See EMC-34.
hash identifiers. Refer to table 21
instead, but it's ok to disallow use
of MD5 with FCPAP.
EMC-50 T 47 5.6.3 DH group reuse is too aggressive. SRP See Appendix A of RFC 3723, and Rejected. Reference to table 22 is
does not use the same generator when David Black may have info about correct. See EMC-23 for further
using the IKEv2 mod-p groups for subtle what generators to use for the operations on table 22, and possibly
cryptographic reasons. smaller mod p groups. EMC-34.
McDATA-105 T 47 SRP Salt Add clarification that the SALT value should Specify that 16 bytes of random Accepted. Specify 16 bytes length for the
Value be a randomly selected number and give number shall be required or other salt, and at least 8 bytes for the
guidance on the minimum length of the specifics. password.
random number that shall be used.
Page 18 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-52 T 49 5.6.6 No length given for K sub S; this is needed Say that the size of K sub S is the See EMC-28. Apply the resolution to this
to specify IKEv2 behavior. output size of the hash function ... section.
no this is not as obvious as it may
appear - padding for convenience
has to be disallowed.
Brocade-59 T 50 5.7.1 FC-SW is less than perfectly clear about the Change the first paragraph of Partially accepted. Cahnge the first two
relationship between Fabric Controllers and 5.7.1 to read: sentences to "The AUTH_ILS SW_ILS
Domain Controllers. I am told that the "The AUTH_ILS SW_ILS shall be shall be used to convey Authentication
correct interpretation is that they are used to convey Authentication messages between Switches, via either
identical, but that there are two addresses messages between Switches. The the Fabric Controller Address Identifier
for each Fabric Controller. One is the Fabric AUTH_ILS SW_ILS may be used (i.e., FFFFFDh to FFFFFDh) or the
Controller Address, a well-known address for authentication of adjacent Domain Controller Address Identifier (i.e.,
for the adjacent fabric controller on a E_Ports by addressing the FFFCxxh to FFFCxxh)."
particular link. The other is the Domain adjacent Fabric Controller directly Rejected the use of "E_Port Fabric
Controller Address, a well-known address or for authenticating specific Fabric Controller".
for the fabric controller having a different Controllers by using the
domain ID. As a result, the authentication Domain_Controller addresses of
statement in the overview is less than the Fabric Controllers."
precise and may create some confusion. As a side effect, most places that
use the term "E_Port" as the
object of authentication should use
a term like "E_Port Fabric
Controller".
EMC-53 T 50 5.7.1 No ordering of Domain Controller and Say which one has to occur first or Add: "Note: The usage of the AUTH_ILS
E_Port AUTH_ILS activities whether either order is allowed. SW_ILS between Domain Controller
Address Identifiers is not specified by this
standard."
McDATA-106 T 50 5.7.1 first Here's an example of where SW_ILS may E-port to E-port authentication See EMC-53
paragraph be used for two different interfaces. If FC SP shall be supported,
is to clearly callout what is the required Domain_Controller to
interface to support then there should be a Domain_Controller authentication
statement about it. is optional.
CNT-57 T 50 5.7.1 p2,s3 No more than one transaction of an No more than one transaction of Accepetd. Change to "No more than one
Authentication protocol shall be in progress an Authentication protocol shall be Authentication protocol transaction shall
between two E_Ports or two in progress between two E_Ports be in progress between a pair of
Domain_Controllers at a time. or two Domain_Controllers at any E_Ports, using the Fabric Controller
time. (?) Address Identifier, or a pair of
Domain_Controller Address Identifiers, at
any time."
Page 19 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-58 T 50 5.7.1 p4,s2 … numerically higher Name … Specify Switch_Name. Accepted in principle. Change "The
Which Name? Switch with the numerically higher Name"
to "The Switch that sent the
AUTH_Negotiate message with the
numerically higher Name". The protocol
is carefully specified to allow any Name
to be used. In section 8 there is the need
to clarify which name shall be used in
which case. May be add a reference to
section 8.
EMC-54 T 53 5.8.1 No ordering of B_AUTH_ILS and AUTH_ILS Say which one has to occur first or Accepted. Add "If performed, a
whether either order is allowed. B_AUTH_ILS transaction shall precede
an AUTH_ILS transaction over the same
link."
CNT-62 T 55 5.9.1 p2,s3 No more than one No more than one transaction of Accepted. Apply resolution of CNT-57.
transaction of an Authentication protocol an Authentication protocol shall be
shall be in progress between two Nx_Ports in progress between two Nx_Ports
or an Nx_Port or an Nx_Port
and a Fx_Port at a time. and a Fx_Port at any time. (?)
McDATA-111 T 55 last First sentence is misleading, since there are Reword to something similar to the Rejected. Change "needed" to
paragraph rules restricting which port can be an re-written authentication overview "appropriate (see 8)".
initiator/responder. first sentence in 5.1.
McDATA-110 T 55 last sentence Is this just a "Authentication Transaction"? If Accepted. Change to "Authentication
so, please use that "well-defined term". If protocol transaction".
not, would appreciate more details on the
distinction.
EMC-55 T 56 5.9.1 No ordering of Nx-Nx vs. Nx-Fx and Fx-Nx Say which one has to occur first or Accepted in concept. Add "Note: if
AUTH_ELSs whether either order is allowed. performed, an Authentication transaction
between an Nx_Port and an Fx_Port
should be completed before any Nx_Port
to Nx_Port Authentication transaction
involving the same Nx_Port."
CNT-63 T 56 5.9.1 p4,s2 … numerically higher Name … Specify N_Port_Name. Accepted in principle. Apply resolution of
Which Name? CNT-58.
McDATA-115 T 56 last not sure what "bidirectional" means (or adds Delete word bidirectional or define Rejected. Bidirectional Exchange is an
paragraph to the text) in this context. Is this an FC-FS its importance in the security FC-FS term. Add a reference to FC-FS.
term? (Yes, I can see in Figure 11 that context in the Definitions section of
there is a request Sequence, then a reply the standard.
Sequence per Exchange, but this isn't a new
or distinctive concept in FC).
Page 20 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-116 T 56 last sentence Change 'abort' to 'terminate' - otherwise it Make global search and change Rejected. If somebody want to send an
of second could be interpreted as sending an ABTS. the use of word "abort" where ABTS, it is not forbidden.
paragraph appropriate.
CNT-67 T 57 5.9.2 item b) Is it really necessary to send AUTH ELS to Clarify Rejected. It is allowed to send
any WKA? AUTH_ELS to a WKA, but not required.
If authentication of a Fabric service is
desired, this is the way to do it.
McDATA-119 T 57 Addressing Need to add that a well known address of a Accepted. Editor to figure out wording.
fabric service could be the S_ID - see case
'b' for the D_ID. The S_ID and D_ID cases
should be equivalent.
McDATA-118 T 57 b) Add "Authentication of a Fabric Service is Rejected. Everything is optional to
optional to support." support, unless explicitly defined as
mandatory to support. Section 5.9.3
specify what to do if not supported.
McDATA-120 T 58 5.9.4 Clarify at beginning section that FC FS Suggested wording is: " See FC Open. Specify that in order to support
AUTH_ELS defines the Query Buffer Condition bit for the FS for a definition of the related AUTH_ELS, an Nx_Port with buffer
Fragmentatio FLOGI/PLOGI and the RPBC ELS which are xLOGI Query Buffer Condition bit limitation is REQUIRED to support the
n used to support fragmentation. Further and the RPBC ELS. Receivers of RPBC ELS and the xLOGI QBC bit and
clarify that FC FS defines the proper an AUTH_ELS that has the More the AUTH_ELS fragmentation. If an
response if RPBC is not supported. Further Fragments flag bit or the Nx_Port with buffer conditions limitations
state that if the RPBC is not supported that Sequence Number flag set, when does not support the QBC bit or the
the AUTH_ELS fragmentation flag shall fragmentation is not supported, RPBC or AUTH_ELS fragmentation, the
cause the AUTH_ELS to be rejected. shall send an Auth Reject with a AUTH_ELS shall be rejected with an
reject code of 0x01, 0x06." LS_RJT "ELS not supported".
In order to interoperate with limited
devices, AUTH_ELS fragmentation
SHALL be supported also by not limited
devices.
Comment still open. Action to David and
Bob Nixon to send a message on the
reflector requesting feedback on limited
ELS buffer sizes.
CNT-69 T 59 5.9.4 p4, s3 The Sequence Number bit shall be initialized Clarify Open. Possibly add: "Given that any
to zero in the first fragment fragment needs to be accepted with an
of an Authentication message to be LS_ACC before the following fragment
fragmented, and shall be incremented in may be sent, only one fragment may be
each subsequent in transit at any given time.", and change
fragment of the same Authentication "incremented" to "alternated".
message.
Since Sequence Number is 1 bit it seems
only two fragments can be sent?
Page 21 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-123 T 59 second This was confusing until I saw the example Might want to clarify that the See CNT-69.
paragraph in figure 13. sequence number isn't a true
numbering of the frames. It's
simply an alternating flag used to
interlock frames between the
sender and receiver.
EMC-58 T 62 Table 54 Why is there a security bit per FC service Use a single bit to cover all Rejected. This is a single bit in the
class? classes in each case. Common Service Parameters, the table
simply expresses in which context it is
valid, which is all classes (David, please
study FC-FS! :-).
Emulex-021 T 63 5.10 Since unidirectional authentication is In 5.10, append this to the first Identified the technical issue of re-
asymmetric, it may be necessary for an paragraph: authentication when unidirectional
entity to force another entity to restart authentication is in place (CHAP
authentication, rather than restart If two entities have completed specific). Action to Larry to prepare a
authentication itself. It is very poorly authentication, one may request proposal for how this may be done using
documented (and lost to early the other to become the initiator of a "trivial challenge". The proposed
implementers) that this may be triggered by reauthentication by sending an solution may be valid too. We need also
AUTH_Reject (Logical Error, Protocol Reset) AUTH_Reject with any value for to verify if the current description of the
sent between a pair of entities that has Transaction Identifier, Reason DH-CHAP protocol clearly defines the
completed authentication. Code of Logical Error, and Reason unidirectional case.
Code Explanation of Protocol
Reset.
McDATA-134 T 63 5.10 Not complete. Add "Therefore, all Accepted in principle. Add to 5.10
implementations need to use tie- references to 5.7.1 and 5.9.1.
breaking rules in the event of two
AUTH_Negotiate messages being
attempted simultaneously. N-Ports
can't rely on sending their
AUTH_Negotiate first, as defined
for after a FLOGI, for example."
McDATA-127 T 63 5.11 We should allow an additional option to Accepted.
restart the protocol instead of re-sending the
ELS, similar to option b) below for
AUTH_TOV timeouts.
McDATA-130 T 63 5.11 Change "shall" to "may" in both paragraphs. State that receivers "shall" handle Accepted in principle. Change to "should"
I don't think all implementations are going to retries if sent, senders "may" send
support resending the message. retries.
McDATA-133 T 63 5.11 Change shall to 'may' in last sentence and change this twice Duplicated. See McDATA-127
add a clause that the protocol may also be
restarted.
Page 22 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-129 T 63 5.10 _ Add "Therefore, all implementations need to Accepted in concept. Add: The
use tie-breaking rules in the event of two Authentication protocol shall proceed as
AUTH_Negotiate messages being described in 5.7, 5.8 or 5.9.
attempted simultaneously. N-Ports can't rely
on sending their AUTH_Negotiate first, as
defined for after a FLOGI, for example."
CNT-73 T 63 5.10 Note 8, However, in However, in Rejected. The note expresses some
s2 most cases the same protocol and most cases the same protocol and possibilities, not a recommended
parameters used for the first Authentication parameters used for the first behavior.
are used for re-authentication. Authentication should be used for
re-authentication. (?)
McDATA-135 T 63 5.9.5 First paragraph not complete Add "F_Ports or Nx_Ports Rejected. Clear as described.
receiving a FLOGI or PLOGI
request shall not send an
AUTH_Negotiate following the
receipt of an AUTH_Negotiate.
However, should they do so (could
be an attacker), the sender of the
PLOGI or FLOGI should send an
AUTH_Reject with an error"
McDATA-128 T 63 paragraph Add "F_Ports or Nx_Ports receiving a See McDATA-135.
below table FLOGI or PLOGI request shall not send an
56 AUTH_Negotiate following the receipt of an
AUTH_Negotiate. However, should they do
so (could be an attacker), the sender of the
PLOGI or FLOGI should send an
AUTH_Reject with an error
"
McDATA-131 E 63 Change 'In which case' to 'In this case'. Accepted.
McDATA-132 T 63 Change 'but the Requesting Nx_Port does Accepted. Change to: "is not capable to
not' to 'but the Requesting Nx_Port is not perform Authentication,"
capable of Authentication'. The security bit
in the FLOGI or PLOGI doesn't mean the
requesting Nx_Port requires authentication,
but is capable of it.
McDATA-136 T 65 6 General IKEv2 is not yet an RFC. How can FC SP IKEv2 rev. 17 has been approved by
port a draft? IESG. Action to Fabio to verify the FC-SP
content against rev. 17.
Page 23 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-138 T 65 6 General General comment. State the purpose of Clearly answer question as to Rejected. Second pararaph explains the
using IKE clearly in the beginning. Also whether IKE is just used as design intent, port the subset of IKEv2 required
state whether to follow IKEv2 developement base to save time or if the purpose for FC.
till it becomes a standard. See next two is to port IKE to FC. Also state
comments. whether to follow IKEv2
development until it becomes a
standard.
McDATA-139 T 65 6 General It's not clear how to process frames which Add part that is equivalent to RFC Rejected. This work has been done in FC-
need protection. The part equivalent to 2401. FS. FC-SP Section 4.7 has explanations.
RFC2401 is missing.
McDATA-141 T 65 6 General Preferrable in comparison to last comment, Clarify whether all IKE RFC's Rejected. The only relevant RFC is
if the intent is NOT just to use IKE as a apply, not just IKEv2. Use more IKEv2. References are used where
design base to save time (see last references where practical. practical. Deviations are highlighted.
comment), and if the purpose is to port IKE Highlight deviations from must-do Changing the name would be confusing.
to FC, remove texts copied from IKEv2 and lists in RFC. Change name of
only explain terminology/concept mapping ported protocol since it isn't exactly
and those things different from IKE must-do the same.
lists. The ported protocol should be refered
as FC-IKE or other name for clarification.
The protocol can't be called IKEv2 unless it
implements all the must-do items.
McDATA-142 T 65 6 General Add terminology from this section, like Accepted. Action to Fabio to do it.
Child_SA to Definitions clause 3.2.
McDATA-147 T 65 6.1.1 This needs a high level view of the important add overview. Add forward references and definitions
relationships between IKE_SA and for IKE_SA nad Child_SA. See McDATA-
Child_SA and other data objects. 142.
McDATA-143 T 65 6.1.1 First Can't be called a subset if things like Delete reference to "subset". Partially accepted. change to: "is based
sentence of message format is changed. on a subset of the IKEv2 protocol
second suitable for Fibre Channel."
paragraph
McDATA-148 T 65 6.1.1 third Clarify what "unique" means to the standard. unique s/b independent and Remove the word unique.
paragraph Is it illegal to use the same transaction ID unique from the authentication
that was previously used during transaction
authentication? Does the value have to be
checked by implementations for
uniqueness?
McDATA-149 T 65 6.1.1 third Definitions are incomplete. Add terminology from this section, See McDATA-142.
paragraph like Child_SA to Definitions clause
3.2.
McDATA-150 T 65 6.1.1 third Reference would be helpful. Refer to Table 58 that defines the Reject. Already explained in the
paragraph variable notation. immediately following text.
Page 24 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-151 T 65 Figure 15 E payloads are also not shown in figure 15. Either add to figure or add Rejected. Encrypted payloads are shown
sentence to that affect. with the notation SK {…}, as explained in
the text in section 6.1.2. Add the SK{…}
notation to the conventions section.
McDATA-156 T 66 last sentence Don't know whether it's intended to differ Note deviations from IKEv2 or fix. Accepted. Reworded the sentence as:
from IKEv2. In IKEv2, NOTIFY may appear The Notify, Delete, and Vendor_ID
in a response of an INFORMATION payloads are not shown in figure 15. See
exchange, which is after INIT & AUTH. 6.6.2, 6.6.3, and 6.6.4, respectively, for
DELETE only appears in INFORMATION how they are used.
exchange. Only VENDOR_ID can appear in
any message.
McDATA-157 T 66 Table 58 Everything in the left column of table 58 Payload type REKEY_SA is See McDATA-142.
should be added to the Definitions clause. missing from table.
McDATA-154 T 66 Table 58 replace "selected by SA_initiator" with Accepted.
Description "proposed by SA_initiator"
column for
Sa I.
McDATA-159 T 67 6.1.2 first Indicate if there is an order required for the Yes, it works as in AUTH_Negotiate, and
para items supported. (i.e. Does it work like it is specified in section 6.3.2.1. Add a
AUTH_Negotiate, in first ones in list are reference to that section.
preferred?)
McDATA-160 T 67 6.1.2 second v3 is not in the reference list. Just X.509. Clarify the referrence to match the Accepted. Add X.509v3 in front of the
paragraph Are they the same? exact notation used in Reference reference.
section.
CNT-82 T 68 6.1.5 p1,s2 IKE_Informational exchanges may only Clarify Accepted. Change "may only" to "shall
occur after the initial exchanges and are only".
cryptographically protected with the
negotiated keys.
Does this IKE_Informational exchanges
shall only occur after the initial exchanges
and are cryptographically protected with the
negotiated keys?
Brocade-65 T 69 6.1.5 "In that case, the responses shall not Make recommended change Accepted.
include Delete Payloads for the deleted SAs,
resulting in a duplicate deletion that may
delete the wrong SA." is a somewhat
strange statement. I believe "resulting in"
should be "thus avoiding".
McDATA-161 T 69 Figure 16 Shouldn't T_IDs be the same for request & Clarify. Yes, they have to be the same. Change
response? P to Q.
Page 25 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-164 T 69 First What does "connection" mean in this Add "(I.e. SA)" after word Accepted in principle. A connection is not
sentence of context? Is it synonymous with SA? connection. an SA, is a pair of SAs. Add: (i.e., with
second to one SA open and the other one closed).
last Consider defining "connection" as a term
paragraph in the glossary.
McDATA-162 T 69 Paragraph Vendor_ID may appear in any message in Clarify. This is specified in the Vendor ID
below figure IKEv2. Putting it here implies it can only definition section, 6.6.4. Add the optional
16. appear in INFORMATION. Make it clear vendor_ID payload to all payload
where each payload can appear. definitions.
McDATA-163 T 69 Paragraph "SPI" has not been defined in this Define SPI and add reference. Accepted. May be add something to
below note document. section 4.7.
10.
McDATA-166 T 70 6.2.1 Clarify which interfaces these apply to and Change "between ..." to "between Accepted in concept: change between
which interfaces are optional to support. entities". Nx_Ports, between Nx_Ports and
Fx_Ports, and between Switches.
McDATA-167 T 70 Initiator's SPI State any requirements for selection of There are no requirements.
unique SPI. For example, can the SPI just
be a simple increment from the last SPI
used? What are the uniqueness
requirements for ineroperability?
McDATA-165 T 70 Table 59 Change "reserved" to "exchange type" to be Note deviations from IKEv2 or fix. We are preserving the semantics and
compatible with IKEv2. Guess it's removed most of the sintax, not all sintax. We do
since it already appears in AUTH message? not intend to interoperate with an IP
It's important to keep the message format IKEv2 implementation. This is made
the same to claim compatibility. clear by the resolution of McDATA-143.
Same for the "Length" which is supposed to
follow "message ID" but it's removed here.
McDATA-170 T 71 6.2.3 Is there an order to this madness? State if there is an order to when Rejected. There is order, and it is defined
payload types must appear. for each IKE message.
McDATA-172 T 73 6.2.4 Isn't this subjected to DOS attack as Acknowledge risk in a note or Add a reference to 5.3.4.
described in 6.8.17? address.
Page 26 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-173 T 73 6.3 General Exchange in IKEv2 is replaced by protocol, How about using IKE_exchange or Open. Action to me to look at the usage
message, transaction & exchange in this i-exchange instead? And add the of the terms.
document. Protocol & message don't IKEv2 definition for "exchange" to
describe it correctly. If exchange can't be the new term used here.
used, choose a right word and make it
consistent through out the document,
especially those texts copied from IKEv2.
From IKEv2 exchange there means: All IKE
communications consist of pairs of
messages: a request and a response. The
pair is called an "exchange".
McDATA-175 T 73 6.3.1 first Remove word "initial". Accepted.
sentence
McDATA-177 T 74 6.3.2.1 What is a proposal? Add "Proposal" to Definitions Accepted. See McDATA-142
section and provide definition for it.
McDATA-178 T 74 Note 12 What protocols does this support? add words "(i.e. CT or ESP Accepted. Delete note 12.
protocols)" to Note 12 or refer to
table that specifies protocols
supported OR deleted if NOTE 13
is duplicate information.
McDATA-176 T 74 Table 64 last Change to: Optional Certificate Request Accepted. add: (possibly included only by
row Payload for SA_Responder the SA_Responder) to the table.
EMC-60 T 75 6.3.2.1 Text requires omission of optional integrity Rephrase text to include condition Rephrased to:
algorithm: "If the integrity that integrity protection is optional , and:
protection algorithm is optional for that AND the proposer does not wish a) if the integrity protection algorithm is
protocol, the integrity protection algorithm to use integrity protection. This optional for the security Protocol being
shall not be whole area is dangerous, as negotiated, the integrity protection
proposed. If the integrity protection algorithm encryption without integrity is in algorithm shall not be proposed; or
is mandatory for that protocol a NONE general a "should not" (i.e., b) if the integrity protection algorithm is
integrity protection strongly discouraged), and a mandatory for the security Protocol being
algorithm shall be proposed." warning to that effect needs to be negotiated, a NONE integrity protection
added, phrased carefully to avoid algorithm shall be proposed.
excluding combined
encryption/integrity algorithms.
McDATA-180 T 75 first Do IKE protocol proposals go in the same A picture of this payload would be Already present in table 65. Table 66
paragraph payload? helpful, showing how "Proposals" then defines the structure of the payload.
conceptually fit in the payload.
McDATA-179 T 75 last sentence Conflicts with IKEv2. Change to: is not See EMC-60.
above Note mandatory…
14
Page 27 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-181 T 75 Note 13 This note needs help. Reword to convey what NOTE 12 Done! See McDATA 178.
is trying to say.
McDATA-184 T 75 Note 14 Is this note correct? Why would something that can be Accepted. Reworded as: In IPsec,
used, always be omitted? Clarify integrity is optional for the ESP security
NOTE 14. Protocol. Therefore for combined
encryption and integrity algorithms, the
integrity protection algorithm is not
included in the proposal in IKEv2. In
Fibre Channel, integrity is mandatory for
the ESP_Header security Protocol.
Therefore for combined encryption and
integrity algorithms, a NONE integrity
protection algorithm is included in the
proposal in the SA management
protocol.
McDATA-182 T 75 second The example proposals show only two Show IKE proposal example. Rejected. The examples show only one
paragraph protocol types. Is a third, IKE, proposal protocol ESP_Header. They are enough.
typically required?
McDATA-183 T 75 second Where does one look for what is optional for Add references to appropriate See EMC-60.
paragraph that protocol? clauses.
McDATA-185 T 76 Table 66 Where is it? Correct reference is table 65. Accepted.
reference
Cisco-03 T 77 6.3.2.1 TBD: Security Protocol_ID for ESP_header Get value assigned by IANA via In progress via an I_D submission.
Internet-Draft submission Please bug David Black! :-)
Cisco-04 T 77 6.3.2.1 TBD: Security Protocol_ID for Get value assigned by IANA via In progress via an I_D submission.
CT_authentication Internet-Draft submission Please bug David Black! :-)
Emulex-022 T 77 6.3.2.1 What is the plan for resolving the TBDs in See Cisco-03 and 04.
table 67?
McDATA-186 T 77 Proposal What are the units? add "in bytes" Accepted.
Length
CNT-95 T 77 table 67 TBD's in table fix See Cisco-03 and 04.
EMC-61 T 77 Table 67 and TBD values tables Need to get values allocated from See Cisco-03 and 04.
others IETF/IANA.
McDATA-190 T 78 SPI: What values are legal? Is an SPI of zero Specify legal values for an SPI. Range 0-255 reserved. Everything else
legal? usable.
McDATA-191 T 78 Table 68 Since today there is only one Transform Specify how one knows how many It works! Table 68 has a transform length
Attribute Type defined there can be only one attributes appear in the Optional field that defines the total length of the
attribute. However, doesn't this need a Transform Attributes Definition. transform, while the transform attribute
"number of attributes field" either in Table 68 data structure is a concatenation of
or Table 75. Does this work? TLVs.
EMC-64 T 79 Note 17 Encryption without integrity example needs As a functional example, it could Accepted. Add: "The usage of encryption
a "should not" warning be ok, but add the warning. only, with no integrity protection is not
recommended."
Page 28 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-192 T 79 Table 69, Inconsistent with IKEv2. Either add "optional" here or Rejected. This table specifies the Fibre
value 3 Used remove "optional" in the 1st row. Channel security protocols, that are
In cell. different from the IPsec security
protocols. Here integrity is mandatory.
EMC-63 T 79 Table 70 Only AES encryption is allowed. While Add another algorithm, e.g., Accepted. See Cisco-07
exclusion of vanity crypto is a good idea, this 3DES.
goes too far; there should be at least two
ciphers just in case a catastrophic problem
is ever discovered in one.
Emulex-023 T 80 6.3.2.1 What is the plan for resolving the TBDs in In progress via an I_D submission.
table 72? Please bug David Black! :-)
Emulex-024 T 80 6.3.2.1 In table 72 table footnote b, In table 72 table footnote b, Accepted.
AUTH_HMAC_SHA1_128 should be change AUTH_HMAC_SHA1_128
AUTH_HMAC_SHA1_160. See FC-GS-4 to AUTH_HMAC_SHA1_160.
table 15.
McDATA-193 T 80 Table 72 Integrity of NONE should be optional to This is not specified here, but in section
support. 6.3.2.2. Still TBD.
McDATA-194 T 80 Table 72 Resolve all TBD's. See Emulex-023
McDATA-195 T 80 Table 72 This conflicts with 6.3.2.2 required Suggest adding a new transform Rejected. Instead correct the typo in note
Note b transforms for CT_Authentication. Whatever for CT_Authentication that b.
is chosen, needs to be compatible with the matches exactly the FC GS
FC GS specification's usage of SHA1. definition (refer to it).
McDATA-196 T 80 Table 73 Since we've ported so much already from Add values from Appendix B of Copy here the information most
the IKE RFC, why wouldn't we port appendix IKEv2 draft. commonly used, refer to other
B info also? documents for what looks more like an
"extension". For the IKEv2 specific
groups, complete table 73 by copying
here the DH groups we want.
Page 29 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-197 T 80 Table 73 The DH values in RFC 3526 are different Determine if the same values can We already agreed to keep the DH
than those used for DH Groups ( from RFC be used for DH Groups in both identifiers for DH-CHAP, FCAP and
3723) in the authentication section's table. 3 areas of this standard. This would FCPAP separated from the identifiers for
groups overlap. make it easier for implementers IKE. See EMC-23.
supporting both FC SP
authentication and FC IKE.
However, there is merit in having
IKE use the same in FC and IP.
Having to go read another RFC
should not be necessary in this
case. Add a DH Group table in
this standard for the IKE section,
or reference the DH group table in
the authentication section and add
the other DH group values there
so it can be more apparent what to
use.
Cisco-07 T 81 6.3.2.2 TBD: need to define mandatory encryption Mandate AES-GCM, as specified Leaning to accept, in the light of:
algorithms for ESP_Header protocol in draft-ietf-ipsec-ciph-aes-gcm- - IEEE EtherSec chosen GCM as a
00.txt mandatory algorithm;
- IESG approved the GCM draft as an
RFC.
Wait for IANA to assign an identifier.
Make GCM a MUST implement;
Make 3DES-CBC (a non AES based
algorithm) a SHOULD implement.
Cisco-08 T 81 6.3.2.2 TBD: need to define mandatory integrity Mandate GMAC, as specified in Leaning to accept. EtherSec chosen
algorithms for ESP_Header protocol http://csrc.nist.gov/CryptoToolkit/m GMAC as a mandatory integrity
odes/proposedmodes/gcm/gcm- algorithm. Action to Fabio to check with
spec.pdf McGrew if a new internet-draft would be
a suitable way to define GMAC in IETF.
Make GMAC a MUST implement;
Make HMAC_SHA1 a SHOULD
implement.
CNT-98 T 81 6.3.2.2 TBD's in lists fix See Cisco-07 and 08
EMC-66 T 81 6.3.2.2 TBD mandatory transforms For simplicity require AES_CBC See Cisco-07 and 08
and HMAC_SHA1 across the
board. Could add
recommendations for others.
Emulex-025 T 81 6.3.2.2 What is the plan for resolving the TBDs in See Cisco-07 and 08
the second unordered list in 6.3.2.2?
Page 30 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-200 T 81 a) Change the mandatory IKE encryption Make the ENCR_NULL encryption Rejected. This part is for the trasforms
algorithm. FC SP does not offer a solution transform mandatory to implement used only by IKE, not by ESP_Header.
for encryption/authentication at high speed. until one is available that works at
Why do we want to make something all speeds.
Mandatory that is known to not work with
high speed applications. Also, what is the
status of NIST's activities and doc 04-
245v2?
McDATA-201 T 81 c) Wouldn't HMAC_SHA1_160 be a better change to SHA1_160 Rejected. See McDATA-200
choice?
McDATA-202 T 81 d) This seems inconsistent with other parts of Change all DH mandatory group Rejected. See McDATA-200
standard that requires support for DH group usage to same group.
1536.
McDATA-206 T 81 last Make this an informational note, as it is Accepted.
paragraph implementation dependent and only
suggestions.
McDATA-203 T 81 second a) TBD? When this TBD is resolved it See Cisco-07 and 08
should be the mandatory to
support for IKE a) above.
McDATA-204 T 81 second b) TBD? Please determine. See Cisco-07 and 08
EMC-65 T 81 Table 74 Integrity is mandatory for all protocols in this Make the text consistent. I think Accepted in principle. Part of action item
table, but text such as Note 14 and Note 16 the confusion is between optional 171.
says it's optional to propose and optional to use.
McDATA-198 T 81 Table 74 Integrity is optional in ESP. Make integrity optional to be Rejected. ESP_Header, as defined in FC-
ESP Header consistent with IP. OR Add note FS, is different than IP ESP, the integrity
Integrity as to why FC is deviating from IP field is always present. As part of the IKE
Mandatory optional integrity. negotiation this may be revised per
Types action item 171.
McDATA-205 T 81 third b) Conflicts with other parts of this standard, Accepted in principle. Corrected the typo
that says AUTH_HMAC_SHA1_128. The in table 72.
mandatory algorithm should be what is
defined in FC GS.
McDATA-208 T 82 second FC SP should define a Define or add reference to FC SP The paragraph does not require a
paragraph standard/interoperable way to set the IKE, clause. management interface, but puts
ESP, and CT suite controls in clause 7. requirements on how implementations
should be done in order to be extensible.
Defer to FC-SP-2 any management
interface definition.
Emulex-026 T 83 6.3.2.4 What is the plan for resolving the TBDs in In progress via an I_D submission.
item e of the unordered list in 6.3.2.4? Please bug David Black! :-)
CNT-100 T 83 6.3.2.4 item TBD's fix See Emulex-26.
e)
McDATA-212 T 84 DH Group Add reference to where the value is defined. Accepted. Add a reference to table 73.
Number (Table)
Page 31 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Cisco-09 T 87 6.4.3 TBD: ID_Type for FC Name_Identifier, Table Get value assigned by IANA via In progress via an I_D submission.
82 and 83 Internet-Draft submission Please bug David Black! :-)
Emulex-027 T 87 6.4.3 What is the plan for resolving the TBD in the See Cisco-09
specification of ID_Type in 6.4.3?
Emulex-028 T 87 6.4.3 What is the plan for resolving the TBD in See Cisco-09
table 83?
CNT-109 T 87 6.4.3 This field shall be set to the value
This field shall be set to the value TBD that Accepted the editorial correction. See
ID_Type: s2 represent the ID_Type Name_Identifier. TBD that represents the ID_Type Cisco-09 for the TBD.
Name_Identifier.
(TBD needs to be fixed also).
McDATA-214 T 87 pad length add "in bytes" Do a global search on all length Accepted. Editor to do it.
fields and specify units of
measure.
McDATA-213 T 87 padding What determines the encryption block size? Clarify. The encryption algorithm specification
determines the block size.
ENDL-014 T 88 6.1.5 may only occur shall occur only Accepted. See CNT-82.
IKE_Informati
onal Protocol
Overview, p
1, s 2
ENDL-015 T 88 6.1.5 are shall be Accepted.
IKE_Informati
onal Protocol
Overview, p
1, s 2
Emulex-029 T 88 6.4.4 The description of the RSA digital signature Need to provide a reference Add a reference to PKCS#1 in the
in table 85 references 6.8.13, which document for RSA digital reference section.
references the Auth_Method field, which is signature. Kaliski, B., and J. Staddon, "PKCS #1:
table 85. RSA Cryptography Specifications Version
2", September 1998,
http://www.rsasecurity.com/rsalabs/
McDATA-215 T 88 Table 85 Add a specific reference for where to find Accepted. See Emulex-029.
PKCS#1 and other PKCS# definitions used
in this standard.
Cisco-10 T 89 6.4.5 TBD: TS Type for FC_Address_Range Get value assigned by IANA via In progress via an I_D submission.
Internet-Draft submission Please bug David Black! :-)
Emulex-030 T 89 6.4.5 What is the plan for resolving the TBD in the See Cisco-10
specification of TS Type in 6.4.5?
Page 32 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Emulex-031 T 89 6.4.5 In the second "real" paragraph on page 89, In table 87, expand the Starting Accepted in concept. Reworded the
it is claimed that a traffic selector for CT may Type and Ending Type fields to paragraphs and extended the Type field
unambiguously select a server by two bytes each. size.
specification of D_ID and GS_Subtype,
without specifying the GS_Type. This is not In the second real paragraph on
true since CT traffic is permitted between page 89, change
Nx_Ports that are not Well-known
addresses. the Type range is a range of CT
GS_Subtypes. There is no
ambiguity in this definition
because in a selector that applies
to Common Transport traffic, the
FC-2 Type has the value 20h,
while the GS_Type is uniquely
determined by the D_ID/S_ID.
to
the Type range is a range of CT
GS_Type || GS_Subtype. There is
no ambiguity in this definition
because in a selector that applies
to Common Transport traffic, the
FC-2 Type has the value 20h.
CNT-114 T 89 6.4.5 TS Second sentence has a TBD. fix See Cisco-10.
Type:
EMC-67 T 91 6.4.6 Consistent certificate requirements with See EMC comment 32. Liberal Open. See the rework for FCAP and
FCAP - there should be one set that spans use of RFC 3280 is decide if it is enough.
both IKEv2 and FCAP recommended. The text at the
bottom of 6.8.18 on p. 115 is not
sufficient.
CNT-120 T 92 6.4.7 item b) items b) c) d) are ambiguous. What entity Clarify Accepted. The subject in a) applies to all
c) d) are the items talking about? the items.
McDATA-217 T 92 CA third Where does one determine the choices of Add documentation for certificate Already present in table 89. Verify if the
paragraph certificate types? types supported. terminology can be made more cosistent
as part of action item 171.
ENDL-029 T 97 6.3.1 TBD [twice] 55 (or any other specific value) See Cisco-03 and 04.
{IKE_SA_Init
Message}
Overview,
table 67,
rows 2 & 3
Page 33 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- T 97 6.3.2.1 There are two TBDs that have to be See Cisco-03 and 04.
034 Payload removed from this table by either putting in
Structure, the correct value or deleting them from the
Table 67 table.
McDATA-220 T 98 Last Why can't switches do this like in Not understood.
sentence Zoning?
before
second a-b
list
ENDL-030 T 100 6.3.1 TBD [twice] 55 (or any other specific value) See Cisco-03 and 04.
{IKE_SA_Init
Message}
Overview,
Table 72,
rows 4 & 5
IBM - Penokie- T 100 6.3.2.1 There are two TBDs that have to be See Cisco-03 and 04.
039 Payload removed from this table by either putting in
Structure, the correct value or deleting them from the
Table 72 table.
McDATA-221 T 100 SPI: Add IKE_SA to Definitions along with others Accepted. See McDATA-142
from this clause.
ENDL-031 T 101 6.3.2.2 TBD [twice] 55 (or any other specific value) See Cisco-07 and 08
Mandatory
Transform_ID
s, 2nd a,b,c
list, entries a
and b
IBM - Penokie- T 101 6.3.2.2 The TBDs have to have values or have to See Cisco-07 and 08
046 Mandatory be deleted.
Transform_ID
s, 2nd item a)
and b)
EMC-69 T 101 6.6.4 Vendor ID payload not extensible: the point Extend and structure the Vendor Accepted. Add a 32 bit vendor chosen
of the vendor ID payload is to allow ID payload to contain the T10 constant.
introduction of vendor specific constants to vendor ID plus a constant that the
signal extensions. Requiring that A T10 vendor is freet to choose
Vendor ID be used allows exactly one
constant per vendor.
Page 34 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-222 T 101 6.7.1 first The "initial key" means key for IKE_SA? Add text to clarify with references Partially accepted. Removed "initial key"
paragraph How is it used by IKE? Does IKE skip its and answers to the questions. and clairified the sentence. Added "The
own authentication? If so, how? Is more SA Management Protocol shall proceed
than one IKE_SA_init in an AUTH as specified in clause 6.".
transaction allowed? Does SA management There are no changes to the IKE
transaction always start with IKE_SA_init? protocol, so: IKE does not skip its own
authentication; more than one IKE_SA is
not allowed; the SA management
transaction always start with IKE_SA_Init
McDATA-224 T 102 6.7.2 Clarify this. IKE has an authentication Clarify that this is referring to the Rejected. This clause covers the
message built in. clause 5 authentication prior to SA opposite scenario.
management protocol.
ENDL-037 T 103 6.3.2.4 Use TBD [twice] 55 (or any other specific value) See Emulex-026
of the
Security_Ass
ociation
Payload with
CT_Authentic
ation, a,b,c
list, entry e
IBM - Penokie- T 103 6.3.2.4 Use The TBDs need to be defined or deleted. See Emulex-026
055 of the
Security_Ass
ociation
Payload with
CT_Authentic
ation, Item e)
McDATA-226 T 104 6.7.4 Clarify why there are two AUTH parameters Add informative note in 6.7.4 Rejected. IKEv2-AUTH is a perfectly
for FC IKE. reminding reader that IKEv2- legitimate case, as shown in figure 1.
AUTH is expected to be an
unusual case because another
authentication method from clause
5 probably proceeded the SA
Management protocol.
EMC-71 T 106 6.8.5 Removal of cookies significantly weakens Put the cookies back in. Rejected. See EMC-20.
IKEv2 denial-of-service resistance. In Assuming this attack can't happen
essence this text is saying that the forged places too much trust in the fabric.
source address denial-of-service attack Add denial of service resistance to
described in Section 2.6 of the IKEv2 draft IKEv2 advantages (EMC comment
can't happen in FC. 70).
McDATA-228 T 106 6.8.5 Should add the suggestion to use the binary Add verbage similar to that found Partially accepted. Add a reference to
exponential backoff algorithm for retries. in authentication clause 5 about clause 5.
backoff algorithm.
Page 35 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-227 T 106 6.8.5 How does it make DOS attack less Describe deviation from IKEv2. See EMC-20.
Cookies, effective? When resources are scarce due Add this scenario.
Milk, and to the attack, INIT from valid user will get
DOS rejected and have to retry. The retry would
get rejected again most likely if the system is
still under the attack. The IKEv2 tries to use
cookie to differentiate the valid user from the
attacker when resources get scarce.
IBM - Penokie- T 107 6.4.3 The statement << This field shall be set to See Cisco-09.
069 Identification the value TBD that represent the ID_Type
Payload, Name_Identifier. >> contains a TBD that has
ID_TYPE to be resolved or removed.
description
IBM - Penokie- T 107 6.4.3 This table contains a TBD that needs to be See Cisco-09.
070 Identification removed or replaced with a specific value.
Payload,
Table 83
ENDL-049 T 107 6.4.3 TBD 55 (or any other specific value) See Cisco-09.
Identification
Payload,
Table 83 &
the p that
introduces it
McDATA-231 T 107 6.8.6 Proposals and Transforms are other Accepted in principle. Add "(i.e.,
important data construct to add to transforms)".
conceptual model that needs to be added to
the beginning of this clause.
McDATA-230 T 107 6.8.7 How is rekey handled if authentication & Add clarifications. Accepted. Action to Fabio to propose
key management protocol is used to get the clarifying text.
key?
Can SA get rekeyed w/o reauthentication?
McDATA-233 T 107 6.8.7 Define what "in place" refers to. Change "in place" to "replacement Accepted. Change to "replacement of an
of an existing SA without loss of existing SA without affecting traffic or
connection or other SA's" other SAs".
McDATA-232 T 107 a) This could lead one to the conclusion that Clarify that an IKE_SA for each The comment is correct if IKE_SA is
ESP header and CT_authentication are protocol may exist at the same replaced with Child_SA. Accepted the
mutually exclusive protocols to be time. corrected comment. Add "An SA shall
supported. apply to a single Protocol. However
multiple Protocols may be supported via
multiple SAs. "
McDATA-234 T 108 third Define SA bundle. Accepted. Action item 169. See McDATA-
paragraph 142.
Page 36 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-058 T 109 6.4.3 TBD 55 (or any other specific value\ See Cisco-09.
Identification
Payload, 1st
p after table
87, s 2
IBM - Penokie- T 109 6.4.5 Traffic The << This field shall be set to the value See Cisco-10.
073 Selector TBD, >> contains a TBD that has to be
Payload, The resolved or removed.
TS Type
description
EMC-72 T 109 6.8.8 SPD can't be entirely outside the scope of Minimum functional requirements Open. See Action item 142, McDATA-31.
FC-SP on the SPD that an Consider renaming the SPD as SAD
implementation must meet are (Security Associations Database).
needed. See the selectors
discussion in RFC 2401 for the
IPsec version of this.
McDATA-237 T 109 6.8.8 Change reference to SPD to a more Define a standard interface to set Rejected. The SPD information is internal
complete description of the SPD, including the SPD information in the fabric. to an implementation and generated by
important behavior and data that will allow the IKEv2 protocol.
interoperability.
McDATA-238 T 109 6.8.8 For interoperability, a policy should be Rejected. See McDATA-237.
specified for setting the content of an SPD.
McDATA-239 T 109 6.8.8 Here is a hint to one thing that must be in an Define the SPD, more completely See EMC-72
SPD. in this standard.
McDATA-236 T 109 6.8.8 2nd Peer SPD consistency is a problem of The logic is that when an empty SPD is
par. IPsec. Packet will get dropped if there's no present the traffic should flow, not be
matching policy in SPD even incoming dropped. Usually, whan an SA is created
packet is successfully in the SPD, there will be also a "catch-all"
authenticated/decrypted through a entry that specifies to discard everything
successful SAD lookup. However, 4.7 else. Section 4.7 is being rewritten per
specifies that frames are passed if there's action item 142. See also Brocade-50.
no match in SPD. Why does FC need to
negotiate traffic selector?
McDATA-235 T 109 6.8.8 First Which document describes how to maintain Define SPD maintenance in FC See EMC-72
par. SPD? SP.
When to update SPD with IKE? The
example in IKEv2 can't apply here.
EMC-73 T 110 6.8.10 Make DH Exponential reuse generic Apply this section to DH-CHAP, Accepted. Add references to this section
FCAP and FCPAP in addition to in DH-CHAP, FCAP, and FCPAP. Action
IKEv2. to David to verify that the wording is
adequate.
Emulex-032 T 110 6.8.9 The only definition of the function/acronym Put prf, or better, prf(x), in the Accepted.
"prf" is buried in 6.8.9. This is insufficient. acronym directory
Page 37 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-060 T 111 6.4.6 Is it true that all implementations supporting Yes, it is true!
Certificate certifications have to support all the types of
Payload, 1st certificates listed in table 89? The last
p on pg, last sentence in the paragraph introducing the
s in p table appears to say yes.
EMC-74 T 112 6.8.13 First paragraph does not allow direct use of It's wrong, fix it. Accepted. Rewrite the paragraph. Action
IKEv2 w/o prior authentication protocol to me and Fabio.
ENDL-070 T 114 6.6.1 may only occur shall occur only Accepted.
{IKE_Informa
tional
Message}
Overview, p
1, s 3
ENDL-071 T 114 6.6.1 are shall be Accepted.
{IKE_Informa
tional
Message}
Overview, p
1, s 3
McDATA-240 T 115 6.8.18 What is this paragraph trying to say? please type it into the document. Accepted in concept, by removing the
second paragraph.
paragraph
EMC-76 T 119 7.1.2 Hashes in policy summary object are being Add a unique identifier such as Open. David to work over it.
used for compare by hash. WWN of principle switch and time
that policy was created.
McDATA-241 T 120 Table 104 Same for the "Length" which is supposed to Make TLVs consistent throughout Not understood.
follow "message ID" but it's removed here. the document.
McDATA-243 T 121 Object Name The term Alphanumeric Name is not This is usually defined as - A Rejected. Names are defined in 7.1.8
defined. printable ASCII character string, and 4.8. Move 7.1.8 before 7.1.2.
terminated with a null character
(00h).
McDATA-244 T 122 Switch Add separate and larger field for Partially accepted. Redefine field as
Membership Switch Flags- Should not include the Policy expansion of Policy Data Roles in follows:
List Object- Data Role here. This would be better the future. "11 .. 8: policy data role
Switch Entry represented as an enumeration (a separate 15 .. 12: reserved
4 byte field). It is not really a flag value and 16: manager
as defined does not leave much room for 17: bla, bla…"
future expansion.
Page 38 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-78 T 122 Table 110 Combine Authentication Required and Result is a 2 bit field with 4 values: Partially accepted. Combine the 2 bits in
Authentication Tolerance bits in Switch 11 = Authentication Required. 10 a two bits field, and define the behavior
Flags. = Will attempt authentication on all of each combination in a table (the
connections, but fall back to no suggested behavior is not reflecting the
authentication on reject. 01 = Will current behavior).
not attempt authentication, but will
cooperate with authentication
initiated by other switch. 00 =
Authentication prohibited.
McDATA-248 T 123 last sentence What happens if that one server switch goes This switch behavior should be Rejected. Add the following sentence to
offline? The Client Switch is a half baked defined in SW. There has been the end of page 123: "If no Server
idea. minimal coordination with SW. Switches are reachable, a Client Switch
How do Client Switches initialize? is not able to update its FC-SP Zoning
Can they become server configuration when new Devices are
switches? There are lots of more connected to the Fabric.". Check the
questions that would have to be "may"s in the third and fourth paragraph
answered. Remove Client of 7.6.5.1. Action to me.
Switches.
McDATA-249 T 124 Auth Is it necessary to standardize this bit? It can Make this vendor specific. Rejected. We need this capability,
Tolerance be handled by vendor specific methods, if because we don't have in ELP an
needed. authentication reserved bit as in FLOGI.
See EMC-78.
There is no equivalent policy flag for
devices, only switches, which is also
puzzling.
Emulex-033 T 126 7.1.4 The undefined term Subserver is used In 7.1.4, change all occurrences of Accepted.
seven times in this subclause Subserver to Server.
McDATA-252 T 126 Authenticatio should "to" be "of"? It makes a difference. Accepted. Don't blame too much the
n required Italian editor!
EMC-79 T 127 7.1.4 Is GS_Subtype meaninful when GS_Type Text for wildcard case of GS_Type Accepted. Add "In this case the
has been wildcarded? needs to say that GS_Subtype is GS_Subtype field is ignored."
ignored.
McDATA-255 T 127 Allow/Deny In the interest of interoperability and to allow Make Deny functionality optional Rejected. The Deny feature allows to
for minimal implementations, throughout the document. express in a very compact way some
say "Support for Allow is required if the common case policies such as "access is
Device Membership list policy is supported. granted for every Service but the
Deny may optionally be supported." Management Service", requiring much
less space to store a policy.
Page 39 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- T 128 6.8.7 The statement << The SA_Initiator, Partially accepted. Change "cannot" to "is
158 Rekeying, however, cannot receive on a newly created not able to".
10th SA until it receives and processes the
paragraph response to its IKE_Create_Child_SA
request. >> should be << The SA_Initiator,
however, shall not receive on a newly
created SA until it receives and processes
the response to its IKE_Create_Child_SA
request. >>
IBM - Penokie- T 130 6.8.9 Nonces The statement << and nonces, care must be Partially accepted. Change "must" to
173 taken to ensure that the latter use does not "should".
>> should be << and nonces, care shall be
taken to ensure that the latter use does not
>>
EMC-80 T 132 Table 127 Well Known Protocols Access Descriptor is The protocol numbers are IP Open. Add a subclause to express
wrong. protocols - the only ones that constraints on the IP protocol types
should be allowed are 7 [TCP] and (David explicitly want to avoid a allow
17 [UDP]. A flag should be used policy on a wildcarded IP protocol).
for this, not an IP protocol number. Action to me.
The ports aren't well known an the Do not use the term "well known ports",
IANA registry defines the typical because they may be not well known.
use for ports, but that's not the Change to "default port".
only use, and unregistered ports
can be used (e.g., 8080 for HTTP
is common) All uses of the phrase
"well known" in this context are
incorrect and should be removed.
EMC-81 T 133 Table 129 Table makes no sense - item entries of Fix the table Accepted.
"Reserved", "GS_Type" and "GS_Subtype"
are nonsense
McDATA-261 T 134 7.1.7 The Attribute object defined in section 7.1.7 No, it is not a problem. Even if the
contains info to use during the policies do not match, when the
authentication process as defined in the authentication is completed the policies
Authentication Parameters attribute. It will be checked.
defines which switch should send the
negotiate message and which switch... So
the switch does not know if its policies
match with the connecting switch before
running the authentication protocol. Is this a
problem?
Page 40 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-82 T 135 7.1.8 Forcing use of IPv4-mapped IPv6 addresses Add a new name tag whose value Rejected. This is how the Fibre Channel
for IPv4 info is ugly. content is a pair of IPv4 Name Server already stores IPv4
addresses. addresses. Add a note referencing FC-
GS-5, Name Server clause, where the
IPv4 addresses are represented as IPv4
mapped IPv6 address, to explain why
they are represented in this way also
here. Add a reference to the IPv6
Addressing Architecture RFC.
McDATA-263 T 135 last sentence Is there a definition of ascending order? Is please define ascending order. Clearly stated. Instead check 7.6.4.1 and
of 7.1.7 this binary or alphanumeric? 7.6.4.2 to be sure that the order criteria
are specified (alfabetic or numeric).
Action to me and Bob Nixon to prepare a
clause on sorting in the Definitions and
Conventions section.
Veritas-9 T 135 Table 133 The note in this table sounds suspiciously Add sentence "The IEEE Accepted, but keep it as a table footnote,
like a requirement. If so, it should be stated Registered Extended which is normative.
in the text. Name_Identifier (NAA=6h) shall
not be used."
McDATA-265 T 136 7.2 General Need a clear definition of when frame Indicate when (for example, after There is no policy specific frame
exchanges used for policy enforcement are which part of a connection exchange used for enforcement. Section
expected to occur. process?) these are enforced to 8 provides all details on how the various
ensure interoperability. protocols are connected together.
McDATA-264 T 136 Alphanumeric This should be moved much earlier in the What is the difference between ASCII includes punctuation and control
document. Shouldn't this be defined in the this and ASCII characters? characters, here the set of characters is
same way as other standards? Is this an Please specify. restricted. This definition is almost
improvement? verbatim from FC-GS-5. Already agreed
to move this section at the beginning of
section 7 (see McDATA-243)
McDATA-266 T 137 last sentence Specify which exchanges trigger these See section 8.
checks and when those exchanges occur.
McDATA-268 T 141 7.2.7 "appropriate actions shall be performed" is In addition to defining the states, The term "appropriate actions" is used
subjective. How are appropriate actions we should have a way to manage because what to do in the case of an
managed and defined. This is related to actions on a fabric wide basis. authentication failure depends from the
McDATA-24. Consistent behavior across all context. See McDATA-50. Keep open
switches are required. until McDATA-50 is closed.
McDATA-269 T 142 7.3.1 Fabric Session is an undefined term. GS The various standards need to Action to Bob Nixon and me to check the
uses server session while SW uses GS make this terminology the cross-standards terminology and propose
Session. SW has the Fabric Management consistent and then do a global an uniform terminology to be used in GS,
Session which can be encapsulated by a replacement of the terms. SW and SP.
server session.
Page 41 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-270 T 142 7.3.1 Change name "Fabric Policy Server" to Accepted.
"Security Policy Server" since FC GS 4 used
that and only this document has to change.
That also resolves the need for getting a
new CT Subtype assigned in GS.
EMC-83 T 144 7.3.2 Remove Policy Object is using compare by Pass the actual policy object to be Rejected. Add the following note: "Type,
hash removed. Name and Hash are sent by a
management entity (e.g., via the Security
Policy Server request RPO, see 7.3.6.8).
Type and Name uniquely identify the
policy object to be removed. The hash
provides an additional check to detect if
the identified object is not what was
intended to remove (e.g., an hash
mismatch indicates that stale data exist
in the management entity). (to be
editorially cleaned!)"
McDATA-271 T 144 Policy Object A reference would be helpful here. Add a reference here to the clause Accepted. Add "(see 7.1)".
that describes the Policy Objects.
McDATA-275 T 148 Table 146 Add a description for the Switch_Name Accepted.
McDATA-276 T 149 Table 148 Why are 4 bytes being reserved? Reserved Delete the reserved bytes. Rejected. ESS in FC-SW-4 uses 8 bytes
bytes are usually fill bytes not a whole word. flags structures.
Are they obsolete bytes?
McDATA-278 T 150 Below Table Add definition of Total Length field and Accepted. Add "Total Length of Security
149 Security Object fields. Objects: shall be set to the total length in
bytes of the carried security objects. This
field shall always be present."
Check about adding "The length shall be
a multiple of four".
McDATA-279 T 150 Below Table Add definition of fields. Accepted. Editor to do the job!
150
McDATA-280 T 150 last Does apply mean the switch generates the Clarify what is required. Change "apply" to "generate and
paragraph information? include".
McDATA-277 T 150 Table 149 The fields in this table need to be defined. add field descriptions. Accepted. See McDATA-279.
The Optional should be dropped from Table
150.
EMC-84 T 151 7.3.5.2 No instructions for where to get the key or Specify where to get the key Open. Action to Steve and Vidya to
how to compute the HMAC or signature in (probably a pointer into Section 5). provide the missing information.
the Integrity Protection Value field Provide references for the HMAC
and signature algorithms.
Page 42 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-284 T 152 Integer Field Is there a reference for how the timestamp specify the reference. Accepted. Add "The timestamp format is
is defined? based on the Network Time Protocol
(NTP) timestamp format described in
RFC 1305. The timestamp is represented
as a 64-bit unsigned fixed-point number
in big-endian format. The timestamp is
divided into two separate 32 bit fields.
They are the Integer field and the
Fractional field."
McDATA-285 T 158 RPO/APO Should say something about how RPO and Clarify what important interface Add "The APO/RPO request does not
the APO command affect the Policy behavior required. affect the current Policy Summary
Summary Object. Is it necessary to activate Object."
a new summary?
Does this just remove the policy from the
area that has not been activated?
EMC-85 T 158 Table 169 Remove Policy Object is using compare by Pass the actual policy object to be Apply the same resolution as EMC-83.
hash removed.
EMC-86 T 160 7.4 This is using compare by hash (well actually Add a unique identifier such as Open. Part of AI-147.
multiple hashes) and doesn't need to. WWN of principle switch and time
Compare by hash could be problematic if that policy was created to Policy
there's a hash collision. Summary object.
McDATA-286 T 160 7.4.1 After Authentication implies that Change to: After the authentication Partially accepted. Remove "After
Authentication is required. stage of Fabric Initialization, Authentication" from both sections.
Change 7.6.3.3 too.
McDATA-287 T 160 7.4.1 Can we be more specific about when the Specify after which exchange and Specified in section 8.9.
exchange of CPS occurs? before which part of the process it
should occur.
Cisco-11 T 160 7.4.2 TBD: CPS SW_ILS not assigned Get value from SWxx Action to Editor.
Emulex-034 T 160 7.4.2 What is the plan for resolving the TBD in See Cisco-11
table 173?
McDATA-288 T 163 Table 179, Add "or it may be done by vendor specific Accepted. Add "or by vendor specific
Fabric policy". methods."
Binding.
McDATA-290 T 165 7.6.2.1 GFEZ does not mention FC-SP Zoning. Update reference to GS-5 or Rejected. This clause extends wht is
delete this. Is GS-5 considering specified in SW-3 and GS-4. Action to
this? the editor to at least reserve the bit and
opcodes definitions in GS-5 and SW-4.
McDATA-289 T 165 par before State when the Zoning Check Protocol Specified in section 8.9.
7.6.2 occurs during the link initialization.
McDATA-291 T 167 Zone Set How is the hash generated? Reference how the hash is Action to Editor: verify if it makes sense
Database generated or define it. to create a specific section on Hashes
Hash computation.
McDATA-293 T 168 Bit 9 this Switch s/b this Fabric This is a fabric wide parameter No, it is a Switch parameter. Rejected.
isn't it?
Page 43 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Cisco-12 T 169 7.6.3.3 TBD: ZCP SW_ILS Identifier not assigned Get value from SWxx Action to Editor.
Emulex-035 T 169 7.6.3.3 What is the plan for resolving the TBD in See Cisco-12.
table 189?
McDATA-297 T 169 TBD This value should be assigned by SP and See Cisco-12.
recorded in SW-4.
McDATA-298 T 171 Below Table Zone Set Database Length and Zone Set What is trying to be defined? They are all defined in FC-SW-3.
193 Database Object List are not defined in SW- Please clarify. Lengths are in bytes.
3.
McDATA-299 T 174 7.6.5.1 FSPF distance s/b FSPF cost Open. Action to Editor to find the proper
language. Cost of the shortest path?
Cisco-13 T 174 7.6.5.2 TBD: ZIR SW_ILS Identifier not assigned Get value from SWxx Action to editor.
Emulex-036 T 174 7.6.5.2 What is the plan for resolving the TBD in See Cisco-13.
table 196?
McDATA-300 T 174 Flags How many times do we want to reserve Is this communism at its worst? Withdrawn
Flags and not use them?
McDATA-304 T 177 8 This clause has some major problems that 8.6.4.2 could be rewritten simply Open, but leaning to reject in concept. It
will be discussed in the next three as: This transition occurs when is acceptable to specify behaviors in
comments. The first general comment event NFA_E1 terms of internal state used as a model.
regards specifying internal processes that (i.e., a request for login is received External behavioral equivalence of the
effects implementations but not external linkfrom an authentication initiator) is model is all that is required (see 8.3).
behavior. This permeates every transition received. This avoids Use of internal state avoids pulling
and we'll pick on 8.6.4.2 as an example. discussion of FC-2 , internal significant portions of other standards
subsystem calls, timers, and into this standard.
requests.
McDATA-305 T 177 8 The states in clause 8 need to match state Have a subgroup rewrite Clause 8 Open. Accepted the idea of a subgroup
diagrams from other standards. EEA comes with connections to other to rewrite parts of this clause. There are
close but does not mention the P18: standards and states with proper no particular issues for the SW related
Disabled Port State which was designed for references. state machine (but SW needs to be
security. Other states seem more like updated, action to editor). P18 is
transitions such as revoking. Revoking completely defined by SW. "Revoking" is
should be a transition to Disabled, Invalid a state during which the Logout protocol
Attachment or Isolated depending on the is performed. Non-communicating may
security policy. the Noncommunicating state need clarifications, similar to "close
works for NNA, but this state should link to communication".
state machines in FC-DA and FC-SW-3.
Page 44 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-306 T 177 8 This statement "The criteria for selection Define the errors for various Open. Implicit logout is defined by FC-FS
and the means of returning an error are scenarios so that we have (FC-LS), the errors for various error
beyond the scope of this standard; however, predictable behavior. scenarios are defined there
subsequent to issuing such errors, an FNA (unfortunately not for all cases or
state machine shall cause implicit log out of unambigously), in some cases by
the remote Nx_Port entity and return to the reference to other standards. The
noncommunicating state with it." is in sentence in question comes from a
multiple places and misleading. We should specific case: some operations in the
define errors and policies should determine course of authentication may cause an
if we do implicit logout. overload of a system, resulting in an error
returned to an authentication or a non-
authentication operation (see appropriate
standards for errors to be used). Action
to Bob to clarify the text!
McDATA-307 T 177 8 Event and State names are generic and Use only the shortened names Open. Subgroup for McDATA-305 to
then redefined each time they are used in (e.g., revoking) or a state name so propose a way to the big group.
the transitions. Restating NFA_S1 - (i.e., that we don't have to repeat both
Noncommunicating) becomes every time.
cumbersome.
McDATA-308 T 177 8 When a port reauthenticates, it should still Add a new state for Rejected, the request describes an
be able to carry traffic which is disallowed in reauthentication to allow traffic to allowed behavior.
the first authentication state. flow while it is reauthenticating.
McDATA-309 T 177 8 Can the F_Port Can FFFFFE send a LOGO Allow FFFFFE to send LOGO for a
to a device that it finds unacceptable or graceful degradation. This will
should it just disable it? affect many transitions and errors
in this clause.
McDATA-312 T 178 8.3 This first sentence is rather confusing. I'm please clarify.
not sure what it's trying to say.
McDATA-313 T 179 8.4.1 shall s/b should Aren't we authenticating the
physical link that several virtual
abstractions can use? Different
Virtual N_Ports could have
different security requirements.
Likewise, different virtual fabrics
on the same port could have
different security requirements.
This will be determined by
individual policy.
McDATA-315 T 179 8.4.2 Change this second sentence to something
like this: 'If a fabric name is used, the fabric
should present a single fabric entity'.
McDATA-316 T 179 8.4.2 What about authentication with well-known Should external fabric services be
addresses? authenticated to the fabric? Please
specify or allow.
Page 45 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-317 T 179 8.4.2 second First sentence doesn't sound right. Why Clarify or rewrite the sentence.
paragraph can't an Nx_port establish relationships with
more than one entity if separate
authentication is used?
ENDL-170 T 180 7.4.2 Check TBD 55 (or any other specific value) See Cisco-11.
Policy
Summary
(CPS), table
173, row 1
McDATA-322 T 180 8.5.2.1 Add 'or ILSs' after 'ELSs'
McDATA-318 T 180 8.5.2.2 Where is the abandon authentication Please define it.
request defined?
McDATA-321 T 180 first This implies the Nx_Port must authenticate Change this clause to indicate its
paragraph with the name server to be secure. up to the fabric whether it requires
Authenticating with the fabric should (or authentication with WKAs.
could) cover name server communications.
McDATA-324 T 181 8.5.2.3 The last paragraph says that "the If it reports it to internal software,
authentication service reports". Where does we don't need to write about this in
it report? this standard.
McDATA-326 T 181 8.5.2.3 b) This is not described in the authentication
clause. When is an AUTH_Reject necessary
for reauthentication?
McDATA-328 T 181 8.5.2.4 Where is spurious traffic event defined? The please define or delete.
format of this spurious traffic event should
be standardized or this reporting should be
deleted.
McDATA-329 T 181 8.5.3.2 The clear security relationships request is Clause 8 refers to many internal
not defined. requests and other things that
should not be discussed or defined
in this standard. The standards
should only concern themselves
with frames and protocols that
travel on the link. This problem
occurs in 8.5.4.2 (N_Port Login
Request), 8.5.4.11 - 16. Should
we even mention FC-2?
McDATA-330 T 181 8.5.4.2 maybe "fabric or shall" would make more
sense here instead of "fabric and shall"?
Emulex-037 T 182 8.5.4 Every instance of the terms "exchange" and Capitalize every instance of the
"exchanges" in 8.5.4.x references the FC-FS terms "exchange" and
sense of the term, and should have been "exchanges"in 8.5.4.x.
capitalized.
McDATA-332 T 182 8.5.4.5 Remove the last "that made the request".
Page 46 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-333 T 182 8.5.4.8 Change 'port logout' to 'fabric logout'
McDATA-334 T 183 8.5.4.16 a) This implies the Nx_Port can't authenticate
any other Nx_Port unless fabric
authentication is performed (i.e. fabric
authentication is required if any Nx_Port to
Nx_Port auth is required). We shouldn't
impose that restriction.
McDATA-335 T 183 8.5.4.16 c) Define 'security frame processing'
McDATA-336 T 183 8.5.4.16 d) Define 'frame that is secured' and how a
receiving port detects it.
McDATA-337 T 183 8.5.4.16 f) Delete 'and is not secured'
McDATA-338 T 184 f) What does it mean to be "not secured"? Does it mean to be authenticated?
If so, then this statement is
redundant. Either way, we should
define what it means to be
secured
McDATA-340 T 184 f) Delete 'and are not secured'
McDATA-341 T 184 h) Delete this item. This would prevent a re-
FLOGI or re-PLOGI after authentication is
complete.
McDATA-339 T 184 Last This modifier is needed since not
Fx_Ports for the switch s/b Fx_Ports for the
sentence Switch that require authentication all Fx_Ports need to do this.
before
second a-b
list
McDATA-342 T 184 paragraph Explain how an unsecured FLOGI or PLOGI
below I) can be received in an established security
relationship.
McDATA-344 T 186 NFA_S3 How do we negotiate ELS buffer conditions? I thought we did this with FLOGI
and RPBC. If so, then we could
say that. This might be one of
those internal states that should
not be in the standards. Same for
NFA_E3
McDATA-345 T 186 NFA_S6 This should be the revoked state. revoking This applies to FNA_S6 as well.
is a transition.
McDATA-343 T 186 Noncommuni Why are we defining a new state when we Change noncommunicating to
cating have invalid attachment and disabled match SW's states. This applies
already? to Figure 28 as well.
McDATA-346 T 187 8.6.3 This whole clause uses terms that are not
defined properly. For example, A request
for login s/b A FLOGI, FDISC or PLOGI
McDATA-350 T 187 8.6.3 What timeout and counters are being Please specify.
discussed in NFA_E11?
Page 47 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-349 T 187 last sentence What is the nonresponsive state? Is it Do a global search and replace
sending OLS? with the proper term.
McDATA-351 T 187 NFA_E1 Authentication client is the incorrect term change client to other terminology
throughout the document.
McDATA-352 T 187 NFA_E3 What is ELS buffer negotiation? Add ELS buffer negotiation to
Definition clause and describe it as
optionally using the RPBC ELS as
described in FC-FS.
McDATA-347 T 187 NFA_E4 How is this reported? What is the format of Do a global search and deletion of
the report? Who is is reported to? reporting if it is internal.
McDATA-348 T 187 NFA_E7 s/b an AUTH_Negotiate is received from an
authenticated client.
McDATA-353 T 188 8.6.4.2 Do we need to standardize that the NFA Delete these internal processes
state machine internal requests need to be from the standard. Again in
specified? 8.6.4.5.
IBM - Penokie- T 189 7.6.3.3 The The TBD needs to be defined or removed. See Cisco-12.
244 Zoning
Check
Protocol,
Table 189
ENDL-172 T 189 7.6.3.3 The TBD 55 (or any other specific value) See Cisco-12.
Zoning
Check
Protocol,
table 189,
row 1
McDATA-356 T 191 second Change 'NFA' to 'FNA'
paragraph
McDATA-357 T 192 FNA_E1 Delete this event. ELPs are only used with Delete third paragraph on page
E_ports. 193 as well.
IBM - Penokie- T 194 7.6.5.2 Zone The TBD needs to be defined or removed. See Cisco-13.
250 Information
Request
(ZIR), Table
196
ENDL-173 T 194 7.6.5.2 Zone TBD 55 (or any other specific value) See Cisco-13.
Information
Request
(ZIR), table
196, row 1
McDATA-359 T 197 Change 'NFA' to 'NNA'
Page 48 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-88 T 200 8.8.4.2 Unprotected PLOGI can cause denial of This is the infamous "Clear text
service. This transition allows an injected xLOGI" issue; the problem with
PLOGI to tear down existing security protecting PLOGI is that it breaks
relationships, even though the PLOGI is not transparent gateways that rely on
secured. It should not be possible for an PLOGI in the clear. Even injection
unauthenticated attacker to take down a set of a header for authentication (but
of secure channels quite that easily. not encryption) may break existing
equipment. The problem with not
protecting it is the denial of service
possibility due to the implicit
logous caused by a PLOGI. The
following ugly sequence of doing
both might work:1) Send secured
PLOGI. 2) Recipient performs
implicit logout (including security
teardown) but *rejects* the
secured PLOGI (i.e., login does
not happen). In essence, this
treats the PLOGI as a PLOGO
only. 3) Sender performs its own
teardown in response to the reject
and tries again with an unsecured
PLOGI. 4) Recipient can now
accept the unsecured PLOGI and
proceed to negotiate security. --
The upshot is that implicit logout
side effects of a PLOGI only occur
when the PLOGI is secured.
McDATA-362 T 221 D2.2 In case of a primary SCS failure, the next Please specify how this is
backup SCS in the member list takes over detected and how the next switch
the primary position to guarantee that fabric in the list takes over control of the
management operations are not application non-disruptively.
interrupted." How do we detect this failure?
The Link State records? How can this be
done non-disruptively?
McDATA-363 T 221 D2.3 SCC Why isn't DHCHap supported in this? Add DHCHAP to the list of
authentication protocols.
McDATA-365 T 224 Stage 2 The non-primary SCS switch: determines if Please specify how.
the primary is in the fabric. Does it
determine this from LSRs?
Page 49 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-8 T 231 D.2.8.5 Concerning the policy name, it is said, Separate normative text from
"Name can not contain spaces or control informative text. A first overview
characters." This sounds mighty mandatory indicates that many of the detailed
(aside from the forbidden "can"). Does this sections of D.2, including D.2.5,
imply that there are portions of this annex D.2.6, D.2.7, and especially the
that are "normative"? If so, those portions payload formats in D.2.8, are
should be broken out into a separate probably normative.
normative annex, or alternatively, the entire The particular sentence I found
annex should be normative and those parts would then be changed to "Name
that are informative should be prefixed with shall not contain spaces or control
the sentence "this subclause is informative". characters."
Another such sentence is in clause
D.2.8.8, page 32, which says
"Zoning can use its own payload
as specified in FC-SW or this new
payload." It should say "Zoning
shall use the payload specified in
FC-SW or this new payload (see
table A.18)."
ENDL-212 T 251 D.2.8.6 Policy 'Member type can be a string to specify Delete this sentence.
Member certain security options in the fabric.'
Object, p 1, s Nothing in this subclause allows strings in
4 member types.
EMC-87 T 167ff 7.6 Zoning checks are using compare by hash Add a unique identifier that is Open. See EMC-86.
compared in addition to the hash.
Cisco-14 T 186, fig. 8.6.1 It looks like that state S6 is used as a Discussion in the WG
27 graceful failover in case the AUTH_Reject
doesn't suggest that there's an attack
ongoing. Did you consider that the Reject
message is unauthenticated? Is there any
security implication that would allow to use
that state for attacks?
Cisco-15 T 191, fig. 8.7.1 See previous comment
38
Cisco-16 T 198, fig. 8.8.1 See previous comment
29
Page 50 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-17 T 21-23 5.3.4 Rich error structure for AUTH errors may be Need to perform security analysis Action to David to perform the requested
dangerous to make sure that attacker can't security analysis. Done, closed on
learn info from returned errors (cf. 12/8/2004.
infamous Tenex page fault attack
on password)
EMC-39 T 33ff 5.5 No certificate acceptance requirements. Adapt text on certificate and CRL Action to Steve Wilson to specify
Users *must* be able to replace certificates acceptance from Section 8.4.2 of properly what certificate verification
and set policy for what CAs are acceptable. SMI-S 1.0.2. means for FCAP, and on root certificates
configuration.
EMC-30 T 34, 35 5.5.1 Doesn't say where to get RSA public key. Say that RSA public key comes Add " obtained from the verified
from certificate. certificate Cb,"
EMC-31 T 34, 35 5.5.1 No identity check in certificate verification Certificate verification needs to Add to step 4) "The identity of the
check an identity field in the Authentication Initiator is taken from the
certificate. Else any certificate certificate Cb."
from any acceptable CA can be
used to impersonate any entity.
EMC-32 T 34,35 5.5.1 No revocation check in certificate Require the ability to check a CRL Accepted. Action to Steve Wilson.
verification. Just checking validity dates in (cf. RFC 3280).
the cert. is not sufficient.
EMC-33 T 34,35 5.5.1 Nonces aren't required to be fresh. Require nonces to be truly Add a reference to B.1.2 in table 26.
random, and not repeated. Replace "random" with "new random" in
step 2 and 3.
Cisco-05 T 80, 83 6.3.2.1, TBD: Transform_ID for AUTH_HMAC_MD5- Get value assigned by IANA via
6.3.2.4 128 Internet-Draft submission
Cisco-06 T 80, 83 6.3.2.1, TBD: Transform_ID for AUTH_HMAC_SHA1- Get value assigned by IANA via
6.3.2.4 160 Internet-Draft submission
Brocade-45 T All All Are there any implications to virtual fabrics? Add one sentence paragraph to
My guess is that there are and that they Clause 4.1 indicating, "This edition
have been ignored for the first of FC-SP does not consider the
implementation. This should be explicitly implications of security in virtual
stated during the introduction, probably in fabrics or among routed fabrics
clause 4.1. other than those applicable to
N_Port to N_Port behaviors."
CNT-23 T Global References to FC-FS. Change references to FC-FS-2.
Cisco-02 T many many There is the need to define how does FC-SP Will prepare presentation for Action to editor.
applies to the virtual fabric architecture discussion
IBM - Dugan- T Annex-D Change Notification Definition: When QSA
379 version 1 has been accepted by the Fabric
Controller, registration for security attribute
change notification is implied. This is
incorrect. No registration occurs.
Page 51 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-7 E 1 scope You're repeating yourself. This should be different from the
intro and abstract. State some
topics that were discussed and will
be placed in SP-2.
Brocade-18 E 2 2.4 The primary source for the IETF documents Add the following text before the
should be specified as the IETF web-site introductory paragraph. "All RFD
RFC page. documents may be obtained
electronically at
http://www.ietf.org/rfc.html. In
addition, they may be obtained
from the RFC Editor, ..."
IBM - Penokie- E 2 Release All the revision information needs to be
001 Notes for removed before letter ballot
version 1.6
Brocade-19 E 3 2.4 The document is not available from IEEE. Make recommended correction
Instead, it is available from the IEEE
standards web-site at:
http://grouper.ieee.org/groups/1363/passwd
PK/contributions.html#Wu and probably
nowhere else. Specify and (in case it
changes a bit) describe the URL.
Brocade-20 E 3 2.4 The address and web-site where the ITU-T Replace the IUT-T text with:
recommendations can be found should be "The ITU-T recommendations may
specified. be obtained from the ITU-T at:
International Telecommunication
Union
Sales and Marketing Service
Place des Nations
CH-1211 Geneva 20 / Switzerland
or ordered on line through
http://www.itu.int/rec/recommendat
ion.asp."
McDATA-8 E 3 2.4 Need to include the reference where the DH Add reference to RFC 3723.
Group Id's used for authentication originated
from.
Page 52 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Veritas-4 E 5 3.1 A number of terms used in the body of the Take another pass through the
document don't appear in the definitions list. document for definitions.
Examples include confidentiality,
authorization, integrity, Security Association,
Security Policy Database, entity, security
relationship, nonce, secret, certificate,
password.
Brocade-22 E 5 3.2 The text should not force me to read FC-FS Make recommended correction.
along with it. The appropriate definitions
should be copied from FC-FS with a The same should be applied to
reference to "See FC-FS." following. As an those referring to FC-SW-3.
example:
3.2.1 address identifier: An address value
used to identify source (S_ID) or destination
(D_ID) of a frame. See FC-FS"
Brocade-23 E 5 3.2.21 "ASCII" is a pretty sloppy definition, since Make recommended correction
there are several versions of it. The
appropriate standard should probably be
specified, probably Unicode US ASCII, but
perhaps some other version.
Brocade-25 E 5 3.2.22 The definition of Radius Server should be Proposed wording:
tightened up. "Radius Server: A device
providing the security services
defined in RFC 2865."
EMC-1 E 5 3.2.23 Definition is too tight - "value not disclosed Change to "value known to a
to anybody" doesn't permit anyone to use limited group and not disclosed to
the secret others"
Emulex-001 E 5 3.2.23 The definition of "secret" conflicts with its Change 3.2.23 to
consistent use in this standard to reference secret: a value intended to be
a shared secret. unknown other than to a limited
group of entities.
McDATA-9 E 5 B_Ports and These should reference SW-4
E_Ports
McDATA-11 E 5 Definitions Add definition for Perfect Forward Secrecy
for completeness.
McDATA-10 E 5 FS There are too many reference definitions. Is Write a definition but defer
references this the way we want to define the terms? authority to the referenced
standards.
Page 53 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-27 E 6 3.3 Blue text denotes IETF content. This gets a Wherever RFC text is used,
little flakey where the grammar of the blue preceed the set of text by
text is so marginal that black text has to be indicating: "RFC nnnn says
thrown in to make it work right. Examples [indicates] the following:" That
include 6.1.2 and 6.1.3 on page 67. In allows you to paraphrase and add
addition, it is not helpful to know it came text where required.
from some RFC unless we know which Change all blue text to normal text.
RFC. Also, blue text does not show up in
black and white copies.
CNT-6 E 6 3.3 Use of Blue text Typically we have tried not to use
color in the standards and
technical reports since this
requires color capable tools to
achieve the proper context. Is blue
text absolutly needed?
Brocade-26 E 6 3.2.25 The definition of "Word" should be corrected Use the text:
as per FC-FS "word: A string of four contiguous
bytes occurring on boundaries that
are zero modulo 4 from a specified
reference."
Brocade-28 E 7 3.4 ELS will be specified by FC-LS in the future. Make recommended corrections.
Fix the reference.
Brocade-29 E 7 3.4 ISO is "International Organization for Make recommended corrections.
Standardization"
Brocade-31 E 7 3.4 The "ignored" keyword ignores one common The first sentence of the definition
usage. In addition to all those things already should be changed to read:
ignored, it may also be possible to ignore "When speaking of a bit, byte,
protocol steps or events under certain word, field, or code value, the
conditions. keyword indicates that the object
is unused. When speaking of a
protocol step or event, the
keyword indicates that the
recipient of the protocol step or
event shall take no action because
of the event."
Veritas-5 E 7 3.4 A number of abbreviations used in the Add definitions
document aren't listed here. Examples
include SPD, SRP, FC-4, FC-1.
McDATA-12 E 7 General Change DH-CHAP to DHCHAP as used in Use DHCHAP throughout entire
the rest of the document. document.
McDATA-13 E 7 IKEv2 Remove reference to IETF IKEv2 draft or
replace with reference to an RFC.
Page 54 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-39 E 8 3.6 The T10 vendor list is a registered list from Make recommended correction.
INCITS, delegated to T10 for management
purposes. Contact Weber or Lohmeyer for
more detailed and correct wording.
Brocade-37 E 8 3.5.10 "Restricted" is not used anywhere in the Delete 3.5.10
document except in the normal English
meaning. The keyword must be removed,
since the normal English meaning is used
many times.
Brocade-36 E 8 3.5.7 "Obsolete" has no usage and may be Leave it in for usage in FC-SP-2.
deleted. It won't actually be need until FC-
SP-2, so you may choose to leave it in here
as a placeholder.
IBM - Penokie- E 8 Acknowledge This section needs to be removed before
003 ments this is forwarded to public review.
IBM - Penokie- E 8 Introduction This section needs to be converted to
002 English or removed.
Brocade-40 E 9 4.1 "makes difficult" s/b "makes it difficult". Make recommended correction
Brocade-41 E 9 4.1 "span across several" s/b "span several" Make recommended correction
Brocade-42 E 9 4.1 "are then" s/b "are" Make recommended correction
EMC-2 E 9 4.1 "fabric" is too restrictive - some of the Change use of "fabric" to a word
facilities in FC-SP can or will span fabric like "infrastructure" that does not
boundaries (e.g., across virtual fabrics). have a defined scope in Fibre
Channel.
EMC-3 E 9 4.2 "integrity" is misleading. Change to "cryptographic integrity"
here and elsewhere to convey
stronger properties of keyed
HMAC vs. CRC for plain integrity
EMC-4 E 9 4.2 List of security properties is incomplete Use of ESP can provide replay
protection and traffic origin
authentication. Authentication in
item b) is session endpoints only.
McDATA-20 E 9 4.2 Add (i.e. Message Authentication) after
Integrity.
Veritas-6 E 9 4.2 Integrity of what - ports etc.etc. Needs to Replace by "integrity of all
further defined. communicated information"??
EMC-5 E 9 4.3 "secret" should be "shared secret" Make recommended change
EMC-6 E 9 4.3 Add discussion of private key to certificate Discussion of certificate
infrastructure infrastructure needs to include
private key. Certificate merely
certifies the identity of the entity
that can demonstrate knowledge
of the private key.
Page 55 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
EMC-7 E 9 4.3 "digitally sign" is incorrect; a keyed HMAC is Rephrase to talk about providing
not a digital signature, especially when cryptographic assurance of the
based on a transient session key. integrity of transmitted data.
QLogic-03 E 9 4.3 Some place in this description we should
mention that ESP_Header is further defined
in FC-FS.
CNT-8 E 9 4.1 p1,s1 The growth in importance and size of Fibre The growth in importance and size
Channel fabrics makes difficult … of Fibre Channel fabrics makes it
difficult …
McDATA-19 E 9 4.1 third Change "risk" to "risks"
paragraph
QLogic-02 E 9 4.1, 1st I didn't know that fabrics contitited a "them". Change "difficult for them" to "it
paragraph difficult"
McDATA-21 E 9 4.3 first Seems like "secret-based" and "password Change to: Secret or password
paragraph based" amount to the same thing. What is based and certificate-based
the difference, other than there are three authentication infrastructures are
authentication protocols defined? accomodated. OR Define the
difference between secret and
password.
McDATA-22 E 9 4.3 first Reword to "Three authentication protocols
paragraph, lst are defined but only one is required for
sentence interoperability."
McDATA-18 E 9 4.3 second Here (and in the next para), "secret key" is Add "secret key" and "shared key"
paragraph used, while in Figure 1, "Shared Key" is and other keys (public key?
used. session key?) to definitions. Use
terms about defined types of keys
??? consistently in text and Figure 1
and throughout document.
McDATA-14 E 9 first sentence makes s/b makes it
McDATA-15 E 9 first sentence Silly wording: the "importance" or Suggest wording ("size" can mean
"unimportance" of FC fabrics has no many things) which describes the
relationship to the adequacy of relying on physically-unenclosed (connected
their physical security. across very long distances) nature
of many fabrics in use today. Say
instead "The growth and variety of
environments in which Fibre
Channel fabrics are deployed
makes it difficult…"
Page 56 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-23 E 9 last Change FCAP to FCCAP throughout to
paragraph more accurately desribe this protocol.
(Fibre Channel Certificate Authentication
Protocol).
McDATA-24 E 9 last Define "digitally sign" or "digital signature" in
paragraph definitions section for completeness and add
reference.
McDATA-16 E 9 second span across s/b span
sentence
McDATA-17 E 9 third Delete word "then"
sentence
Brocade-44 E 10 4.4 The paragraph that says "Three Make recommended correction
Authentication protocols..." promptly goes
off and allows a fourth. The fourth should
be added to the list and the text changed to
indicate "Four Authentication protocols..."
QLogic-04 E 10 4.4, after item Why isn't IKEv2 part of the a, b, c list? Romve the statement "The
c Security Association management
protocol (IKEv2-AUTH) may also
be used as an Authentication
Protocol.", and add IKEv2 as item
(d) in the list.
McDATA-29 E 10 a, b, c Add word "Required" to the DHCHAP line.
McDATA-30 E 10 a, b, c The first paragraph below Figure 1 are a delete this paragraph and the a-c
repeat of the previous page. list.
McDATA-28 E 10 Figure 1 This graphic could be improved in many
ways.
Veritas-7 E 11 4.5 The title is wrong, this doesn't define Call it "Traffic classes"?
Security Associations.
CNT-12 E 11 4.5 p1,s3 Two mechanisms are used protect specific Two mechanisms are used to
classes of traffic. protect specific classes of traffic.
CNT-13 E 11 4.5 p1,s4 ESP_Header is used The ESP_Header is used …
Brocade-46 E 11 4.6.1 "may be composed by" s/b "may be Make recommended correction
composed of"
Brocade-48 E 11 4.6.1 "Object also an" s/b "Object allows an" Make recommended correction
Page 57 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Emulex-006 E 11 4.6.1 The last sentence (?) of 4.6.1 has no verb. In 4.6.1, change the last sentence
from
The Policy Summary Object also
an easy comparison of policy
configurations
to
The Policy Summary Object also
enables an easy comparison of
policy configurations
CNT-14 E 11 4.6.1 p2,s1 Why is first letter in "Devices" in caps? Don't capitilize.
Same with "Switches" and "Objects".
CNT-15 E 11 4.6.1 p2,s2 Policies may be further used to specify Policies may be further used to
topology restrictions within the specify topology restrictions within
Fabric environment, such as which Switches the
may connect to which other Switches or Fabric environment (e.g., which
which Devices switches may connect to other
may connect to which Switches. switches or which devices
may connect to switches).
CNT-16 E 11 4.6.1 p5,s1 A policy configuration may be composed by A policy configuration may be
the following Policy Objects: composed of the following Policy
objects:
CNT-17 E 11 4.6.1 p6,s3 The Policy Summary Object also The Policy Summary Object also
an easy comparison of policy configurations. provides
an easy comparison of policy
configurations.
McDATA-37 E 11 Fabric composed by s/b composed of. These
policies sentences can be combined into one
paragraphs paragraph.
McDATA-34 E 11 fourth ESP_Header s/b The ESP_Header
sentence
McDATA-36 E 11 last sentence Add word "provides". Delete "also".
McDATA-33 E 11 line above a) Change "by" to "of"
McDATA-35 E 11 paragraph You must be looking for trouble. Too many Do a which hunt throughout the
below a-b list whiches. document.
McDATA-32 E 11 second Change from "what are..."
sentence to "what the characteristics... are."
Brocade-49 E 12 4.6.2 "retain also" s/b "also retain" Make recommended correction
CNT-18 E 12 4.6.2 item a) They retain also all Device-to-Device They also retain all device-to-
(Zoning) information; device
(Zoning) information;
CNT-19 E 12 4.6.2 item c) Switches that retain all Fabric-wide Policy Switches that retain all Fabric-wide
Objects but only their Policy Objects, but only their own
per Switch Policy Objects. per Switch Policy Objects.
Page 58 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-22 E 12 4.7 p1,s1 Frame by frame integrity and confidentiality Frame by frame integrity and
is achieved by using the ESP_Header confidentiality is achieved by using
Optional header (see FC-FS). the ESP_Header optional header
(see FC-FS).
McDATA-41 E 12 Figure 2 SPD is not defined yet. Spell the acronym out and add it to
the acronym clause. At least
define SPD before you use it.
McDATA-39 E 12 General Where is this section covered in details? Add cross reference to sections
detailing integrity and
confidentiality.
EMC-13 E 13 4.8 What is the Name Format for? Say what sort of names use this
Name Format
CNT-24 E 13 4.7 p3,s1 The ESP_Header processing … ESP_Header processing …
CNT-25 E 13 4.7 p5,s2 If there is a match, the verifying security If there is a match, the verifying
transforms associated with the matched security transforms associated
selector are applied with the matched selector are
to the frame, and the verified Information applied
Unit are then passed to the FC-4. to the frame, and the verified
Information Unit is then passed to
the FC-4.
CNT-26 E 13 4.7 p5,s3 If there is no match, If there is no match,
the Information Unit are passed to the FC-4 the Information Unit is passed to
unchanged. the FC-4 unchanged.
McDATA-44 E 13 third selector s/b Traffic Selector
paragraph
McDATA-45 E 13 third are s/b is two places.
paragraph
EMC-14 E 14 4.8 p.14 left blank Remove extraneous blank page
Brocade-51 E 15 5.1 The word entity may be a little vague. Are Clarify "entity", possibly in the
the authentications done by N_Ports or by glossary, or alternatively in clause
any port to any port? Is the authentication 4. This is actually explained for
engine associated with an N_Port, a node, the first time in clause 5.2.1. At
or an FC-3 layer meta-port? Do we need a this point there has still been no
glossary entry for this? explanation or overview of the
valid addressing (required for
SW_ILSs). The values are first
defined clearly in clause 5.7.2.
EMC-15 E 15 5.1 No mention of local security policy Say that local security policy may
be used to choose what
Authentication algorithms are
offered and what to select, or to
say that none are acceptable.
Page 59 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-48 E 15 5.1 fourth Authentication transaction s/b
paragraph "Authentication Transaction" throughout this
doc.
CNT-27 E 15 5.1 p1,s2 Authentication is the process by Authentication is the process by
which an entity is able to verify the identity of which an entity is able to verify the
another entity, providing the foundation for identity of another entity, thus
secure relationships. providing the foundation for secure
relationships.
CNT-28 E 15 5.1 p5,s1 Any Fibre Channel entity may act as Any Fibre Channel entity may act
Authentication Initiator or as Authentication as and Authentication Initiator or
Responder. Authentication Responder.
CNT-30 E 16 5.1 p6,s1 If a Fibre Channel entity is not acting as an If a Fibre Channel entity is not
Authentication Initiator or Authentication acting as an Authentication
Responder and Initiator or Authentication
receives an AUTH_Negotiate message, Responder and it
then it shall reply to that message as receives an AUTH_Negotiate
specified by the Authentication message, it shall reply as an
Protocol of its choosing, becoming the Authentication Responder to that
Authentication Responder. message as specified by the
Authentication
Protocol of its choosing.
CNT-31 E 16 5.1 p7,s1 If a Fibre Channel entity is acting as an If a Fibre Channel entity is acting
Authentication Initiator and receives an as an Authentication Initiator and it
AUTH_Negotiate … receives an AUTH_Negotiate …
CNT-32 E 16 5.1 p9,s1 Two error indications shall not be generated Two error indications shall not be
in response of one AUTH message. generated in response to one
AUTH message.
EMC-16 E 16 5.2.1 Switch usage is confusing; have to know Add sentence that Nx port
than an Nx port authenticates to fabric, not authentication is to fabric, not
switch for this to make sense switch, and hence uses ELSs, not
SW_ILSs.
McDATA-52 E 16 5.2.1 Fibre Channel Authentication protocols s/b
authentication protocols or Authentication
Protocol, consistently in the document.
CNT-33 E 16 5.2.1 p1,s1 The Fibre Channel Authentication protocols If so, it would be better to explicitly
(Global) may be used to authenticate Nx_Ports, state this.
B_Ports, or Switches.
I assume "Switches" in this context means
Fx_Ports and E_Ports. "Switches" is again
used in the 2nd sentence.
Page 60 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-51 E 16 first sentence "of" s/b "to"
of paragraph
before 5.2
CNT-34 E 17 5.2.2 … to as an AUTH_ILS message. The … to as an AUTH_ILS message
p1,s1,s2 AUTH_ILS message (see table 3) is (see table 3). The AUTH_ILS
propagated by message is propagated by
B_Ports. B_Ports.
CNT-35 E 17 5.2.2 … to as a B_AUTH_ILS message. The … to as a B_AUTH_ILS message
p3,s1,s2 B_AUTH_ILS message (see table 5) is (see table 5). The B_AUTH_ILS
terminated by B_Ports. message is terminated by
B_Ports.
McDATA-53 E 17 Flags: Flags s/b AUTH_ILS Flags
McDATA-54 E 18 Flags: Flags s/b B_AUTH_ILS Flags
CNT-36 E 18 table 7 thick border line fix
CNT-37 E 19 5.2.4 (Global) AUTH Message Code: specifies … Use caps on first letter of first word
(or not) consistently.
CNT-38 E 19 5.2.4 AUTH The message codes are listed in table 9. The AUTH message codes are
Message listed in table 9.
Code, s2
CNT-39 E 19 5.2.4 p1,s1 When DH-CHAP is used as Authentication When DH-CHAP is used as the
Protocol … Authentication Protocol ...
McDATA-55 E 19 Protocol Add note indicating what the proper
Version behavior of Protocol Version fields of other
values should be.
Note: A version of 00 is rejected. The
purpose of the version field is to change for
major revisions of the protocol when
downward compatibility may not be possible.
For implementations supporting version 1
only, a version greater than 01 is rejected.
McDATA-56 E 19 Transaction Transaction Identifier (page 19) Clarify that transaction identifier
Identifier Suggest that the standard makes the rules handling (incrementing to make it
for incrementing the transaction Identifier unique) applies to all protocols.
common for all Authentication Protocols.
CNT-40 E 20 5.3.1 list a) an AUTH_Reject message (see 5.3.4); Use caps on first letter of first word
(Global) (or not) consistently.
McDATA-58 E 20 5.3.2 reminder s/b remainder
QLogic-05 E 20 5.3.2 reminder remainder
CNT-41 E 21 5.3.3 p1,s1 … specified in 4.8 with the … … specified in table 2 with the …
Page 61 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-60 E 21 Figure 4 There is no such error ReasonCode in the Add reference to table where
tables that follow. And why is the "Reason defined.
Code" omitted?
CNT-42 E 21 table 11 a The IEEE Registered Extended a) The IEEE Registered Extended
(Global) Name_Identifier format (NAA=6h) is not Name_Identifier format (NAA=6h)
supported is not supported.
IBM - Penokie- E 22 2.4 Other The font in the text << (http://www.ietf.org/).
004 References >> is not correct.
CNT-43 E 22 table 14 hash function Not Usable Use caps consistently.
(Global)
QLogic-06 E 24 5.4.1 Should include RFC for Diffie-Hellman I believe it is RFC2631
CNT-45 E 24 5.4.1 item a) a) Know the secret associated with the entity a) Know the secret associated with
to be Authenticated, or the entity to be Authenticated; or
EMC-19 E 24 5.4.1. "Defer" is not correct Rephrase b) to talk about relying
on a third party to verify the
Authentication.
McDATA-66 E 24 Figure 5 The bottom line looks dashed and don't Make it solid or indicate in words
know what it means. the meaning of the dashed line
usage (optional message).
McDATA-65 E 24 first sentence Change "password" to "secret".
McDATA-68 E 25 1) reminder s/b remainder do global search and replace.
IBM - Penokie- E 25 2.4 Other The statement << to anybody. >> should be
005 References deleted as it adds no additional information.
ENDL-001 E 25 3.2 Add glossary entry for FC address in support
Definitions of 6.4.5 usage
ENDL-002 E 25 3.2 Add a glossary entry for FC-SP Zoning.
Definitions
CNT-46 E 25 5.4.1 item 2) bi-directional bidirectional
(Global)
McDATA-67 E 25 Table line Delete word "passwords"
with K secret s/b secrets
Page 62 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-003 E 26 3.3 Editorial This paragraph does not cover all the uses Replace with: 'The meaning of
Conventions, of square brackets. square brackets depends on the
last p on pg usage context as follows: a) In
ladder diagrams, square brackets
enclose optional parameters (e.g.,
[X] indicates that X is an optional
parameter); and b) In the clause 7
policy enforcement definitions,
square brackets enclose restricted
identifiers (e.g., [N(alpha)]
indicates a restriction on access
for the switch with Node_Name
alpha). See table 134 for
additional examples.
McDATA-70 E 26 5) Add "As shown by the dashed line in Figure
5,"
ENDL-004 E 27 3.3 Editorial Add abbreviation for = is equal to
Conventions
ENDL-005 E 27 3.3 Editorial Add acronym entry for FC_ID in support of
Conventions 6.4.5 usage
ENDL-006 E 27 3.3 Editorial Add abbreviation for IP to support use in
Conventions 6.4.1 and elsewhere.
ENDL-007 E 27 3.3 Editorial Add abbreviations for TCP and UDP to
Conventions support uses in 7.1.6 and probably
elsewhere.
McDATA-74 E 27 Line starting Change "Support.. is mandatory." sentence
with to "Compliant implementations shall support
"Support.." the NULL DHCHAP algorithm."
McDATA-73 E 27 Support sentence s/b The MD5 Hash function shall
sentence be supported for DH-CHAP.
EMC-22 E 27 Table 21 Footnote a should say where to find these Say that they're in the
values. "AUTHENTICATION
ALGORITHMS" section of that
IANA registry.
Brocade-53 E 28 Table 22 These numbers are strange enough that Provide recommended reference.
standard verifiable electronic versions of
them are probably available. Such a version
should be referenced here.
Page 63 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 29 4.3 ###################################
006 Authenticatio
n
Infrastructure
, 2nd
paragraph
CNT-48 E 29 5.4.3 extra linefeed below text remove
Challenge
Value
CNT-47 E 29 5.4.3 … Reason Code ‘Authentication Failure’ and … Reason Code "Authentication
Challenge Reason Code Explanation ‘Incorrect Failure" and Reason Code
Value Length Payload’. Explanation "Incorrect Payload".
(Global) (use double quotes for all reason
code and reason code
explantions)
McDATA-78 E 29 last sentence Is there a way to describe RC/E's more
briefly throughout the document?
IBM - Penokie- E 30 4.3 The statement << within the fabric
007 Authenticatio environment that wish to establish a security
n relationship have knowledge >> should be
Infrastructure << within the fabric environment that
, 2nd establish a security relationship have
paragraph knowledge >>
Brocade-56 E 30 5.4.4 "value y selected" s/b "value selected". Make recommended change.
IBM - Penokie- E 31 4.6.1 Policy ###################################
008 Definition,
a,b,c list
(2nd)
IBM - Penokie- E 31 4.6.1 Policy ###################################
009 Definition,
Last
paragraph
IBM - Penokie- E 31 4.6.1 Policy The statement << The Policy Summary
010 Definition, Object also an easy comparison of policy
Last configurations. >> is not a complete
paragraph sentence I think it should be << The Policy
Summary Object is also an easy comparison
of policy configurations. >>
CNT-51 E 31 5.4.3 Otherwise this field … Otherwise, this field …
Challenge
Value
Length, s2
Page 64 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-49 E 31 5.4.5 p1,s2 If bi-directional Authentication is requested, If bidirectional Authentication is
the DHCHAP_Success message shall be requested, the DHCHAP_Success
sent message shall also be sent from
also from the Authentication Initiator to the the Authentication Initiator to the
Authentication Responder. Authentication Responder.
CNT-50 E 31 5.4.5 p2,s2 In this case, when a DHCHAP_Success is In this case, when a
received, … DHCHAP_Success message is
received, …
IBM - Penokie- E 32 4.6.2 Types The statement << Switches that retain all
011 of Switches, Policy Objects. They retain also all Device-to-
Item a) Device (Zoning) information; >> should be
<< Switches that retain all Policy Objects
and all Device-to-Device (Zoning)
information; >>
IBM - Penokie- E 32 4.6.2 Types ###################################
012 of Switches,
Item b)
IBM - Penokie- E 32 4.6.2 Types ###################################
013 of Switches,
Item c)
EMC-40 E 33 5.5.1 No design reference for FCAP FCAP is based on a protocol Action to Steve Wilson to figure out.
designed outside T11 - that source
needs to be cited, although I don't
recall what it is.
CNT-52 E 33 5.5.1 p2,s2 To Authenticate … Use authenticate.
(Global) Why is caps used on first letter?
CNT-53 E 33 Figure 6 Do B's Certificate … Does B's Certificate …
McDATA-87 E 34 3) Inconsistent use of the word
"concatenation". Other algorithms show the
math in formula forms using || for
concatenation.
Adopt a similar style as used in DHCHAP
section.
McDATA-88 E 34 Note 7 Spell out what "its" refers to.
IBM - Penokie- E 35 5 The black page above the section 5 header
014 Authenticatio needs to be removed.
n and Key
Management
Protocols
Page 65 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-54 E 35 5.5.1 item 4) If both the certificate and signature If both the certificate and signature
s8 verifications complete successfully, then the verifications complete
Authentication Responder shall generate its successfully, the Authentication
Signature Sa by computing, with the Responder shall generate its
negotiated hash function H( ), the hash of Signature Sa by computing, with
the received the negotiated hash function H( ),
nonce Rb concatenated with the Diffie- the hash of the received nonce Rb
Hellmann parameter gx mod p, then by concatenated with the Diffie-
encrypting the Hellmann parameter gx mod p,
hash with its RSA private key. then encrypt the hash with its RSA
private key.
CNT-55 E 35 5.5.1 item 4) Then the Authentication Responder shall The Authentication Responder
s9 send … shall then send ...
McDATA-90 E 35 first sentence Change to "nonce Ra concatenated with..."
Better yet apply || and formula notations.
CNT-56 E 37 5.5.2.3 … a shared Key … Be consistent with use of caps for
DHgIDList Why is first letter in caps? shared key, private key, public
Parameter key, etc…
Value p2,s2
(Global)
McDATA-91 E 37 second and change wording from mandatory to "shall Use "shall" instead of "mandatory"
third support" throughout the document.
paragraphs
McDATA-98 E 39 Authenticatio Cb the s/b Cb of the
n Initiator
Certificate
McDATA-100 E 40 Signature Shouldn't "described" be "defined".
Brocade-58 E 42 5.6.1 The reference "(See RFC 2945, SRP-6)" Make recommended change.
leaves one with the possible
misinterpretation that SRP-6 is a subclause
or function described in RFC 2945. Change
to "(See RFC 2945 and SRP-6)".
EMC-44 E 42 5.6.1 Use common terminology for random This is called a "unique and
ephemeral private key unpredictable random value" in
DH-CHAP and a "nonce" in FCAP
and IKEv2. Use "nonce" and
define it in the definitions section.
McDATA-101 E 42 SRP Spell out SRP the first time and add it to the
abbreviations section.
Page 66 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 43 5.3.4 The statement << set to 1 in a >> should be
015 AUTH_Reject << set to one in a >>
Message,
Table 15 last
row
EMC-42 E 43 5.6.1 Use common terminology for GF(n) "finite field GF(n)" notation not Accepted by removing the offending
used elsewhere - use common paragraph, see Emulex-13.
terminology for this common DH
element (field for exponentiation
modulo a large prime)
EMC-41 E 43 Figure 7 Figure is too complex Split into separate figures for Accepted in principle. Unique verifier
unique and shared verifier modes mode removed. See EMC-43.
with some text explaining the
difference in calculations between
the figures
McDATA-104 E 44 2) I've found dictionary definitions of the word
"ephemeral" that specify a day or less for
the brief time it exists.
Clarify what a ephemeral "brief amount" of
time should be in an informative note. Is the
intent that the private key should not be
stored past the time needed for the protocol
to complete?
IBM - Penokie- E 44 5.4.1 The statement << DH-CHAP provides
016 Protocol bidirectional and may provide unidirectional
Operations, Authentication between >> should be << DH-
1st CHAP provides bidirectional Authentication
paragraph and may provide unidirectional
Authentication between >>
Emulex-019 E 44 5.6.1 Just a reminder, in the fourth line of list item In the fourth line of list item 1 at
1 at the top of page 44, "reminder" should the top of page 44, change
be "remainder" "reminder" to "remainder"
IBM - Penokie- E 49 5.4.3 At the end of the Challenge Value
017 DHCHAP_Ch description the following statement should
allenge be added << The algorithm for generating
Message the challenge value is outside the scope of
this standard. >>
CNT-59 E 50 5.7.1 p5,s1 If a Domain_Controller or an E_Port is not If a Domain_Controller or an
acting as an Authentication Initiator or E_Port is not acting as an
Authentication Responder Authentication Initiator or
and receives an AUTH_Negotiate message, Authentication Responder
… and it receives an
AUTH_Negotiate message, ...
Page 67 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 51 5.4.4 At the end of the Challenge Value
018 DHCHAP_Re description the following statement should
ply Message be added << The algorithm for generating
the challenge value is outside the scope of
this standard. >>
McDATA-107 E 52 5.7.3 This is the first place that AUTH_TOV is Define it here or reference the
mentioned. right section.
IBM - Penokie- E 53 5.5 FCAP ###################################
019 Protocol
Brocade-60 E 54 5.8.1 "that detects to be connected" s/b "that Make recommended change
detects it is connected"
CNT-60 E 54 5.8.1 p7,s1 An E_Port that detects to be connected to a An E_Port that detects it is
B_Port … connected to a B_Port ...
McDATA-108 E 54 last sentence to be s/b that it is
of 5.8.1
CNT-61 E 55 5.9.1 p1,s2 AUTH_ELS requires Login in place between AUTH_ELS requires N_Port Login
the two associated FC_Ports. between the two associated
FC_Ports prior to its use.
McDATA-109 E 55 last General: "Authentication Transaction" Use well-defined terms like
paragraph (capital T) ? Authentication Transaction,
Authentication Protocol, etc…
consistently throughout the
document.
McDATA-112 E 56 2nd transaction s/b "Authentication Transaction"
paragraph ?
last sentence
CNT-64 E 56 5.9.1 p5,s1 If an Nx_Port or Fx_Port is not acting as an If an Nx_Port or Fx_Port is not
Authentication Initiator or Authentication acting as an Authentication
Responder and Initiator or Authentication
receives an AUTH_Negotiate message, … Responder and it receives an
AUTH_Negotiate message, ...
McDATA-113 E 56 last Authentication protocol s/b Authentication do a globabl search and replace
paragraph Protocol
McDATA-114 E 56 last is "Authentication protocol message" an Use AUTH message terminology?
paragraph "AUTH message"???
CNT-65 E 57 5.9.2 item a) The address identifier of another Nx_Port to The address identifier of another
designate that Nx_Port as the FC_Port with Nx_Port to designate that Nx_Port
which as the FC_Port to which
Authentication is being performed; Authentication is being performed;
Page 68 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-66 E 57 5.9.2 item b) The Well Known Address of a Fabric The Well Known Address of a
Service to designate that Fabric Service as Fabric Service to designate that
the FC_Port Fabric Service as the FC_Port
with which Authentication is being to which Authentication is being
performed; or performed; or
McDATA-117 E 57 Addressing: Add (i.e. well known address for an F_Port)
CNT-68 E 58 5.9.2 item c), FFFFFEh to designate the local Fx_Port as FFFFFEh to designate the local
s1 the FC_Port with which Authentication is Fx_Port as the FC_Port to which
being performed. Authentication is being performed.
EMC-56 E 58 5.9.4 How does sender determine receiver ELS Add text to answer the question
size limit? near the start of the section -
RPBC is discussed later on.
McDATA-121 E 59 Figure 12 Figure 12 can be confusing depending on Show the first bit and the last bit in
which way you read the example. Usually the stream to clear it up.
data flows from left to right. This implies
that the data is flowing from right to left.
McDATA-122 E 59 Paragraph Has "security level" been mentioned/defined Delete words "the security level of"
below figure elsewhere in the doc?
12.
EMC-57 E 60 Figure 13 Take no action on late LS_ACC after Add text to say that once the
timeout - In Figure 13 if the LS_ACC is 2*R_A_TOV timeout has occurred,
delayed past the timeout and erroneously Exchange 2 is torn down and any
delivered, a receiver might advance to LS_ACC arriving (in error as the is
sending Fragment 3. That would be wrong. well past R_A_TOV) must be
discarded. This probably repeats
text from another FC spec, but is
worth saying here.
McDATA-124 E 62 2nd s/b "may trigger" ?
paragraph.
Brocade-61 E 62 5.9.5 "is capable to perform" s/b "is able to Make recommended change
perfom" or "is capable of performing".
CNT-70 E 62 5.9.5 p2,s1 The Login process triggers the The Login process triggers
Authentication … authentication ...
McDATA-125 E 62 first sentence to perform s/b of performing
below table
54
McDATA-126 E 62 capable to perform Authentication s/b
capable of performing Authentication
Brocade-62 E 63 5.10 "for re-authentication purpose" s/b "for re- Make recommended change
authentication."
Page 69 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-63 E 63 5.11 Retry using R_A_TOV is painfully long. Can Propose REC for faster recovery.
REC be used as well? REC can be transmitted for an
exchange at any time. If the
exchange was not received, it may
be retried immediately. If it was
received, the E_D_TOV timer can
be used instead of the R_A_TOV
before retrying. Retries before
R_A_TOV should use different
authentication parameters.
CNT-71 E 63 5.9.5 p6,s4 In which case, … In this case, ...
CNT-72 E 63 5.9.5 p6,s5 … fragmentation method explained in 5.9.4. … fragmentation method specified
in 5.9.4.
Brocade-30 E 64 5.11 The "expected" keyword is used in On page 64, "expected" is used to
unexpected ways. mean "awaited". In this case, the
word should simply be deleted.
On page 69, "expected" is used to
mean "in the format of". The text
"as they would be expected in the
headers" s/b "in the format defined
for the headers"
On page 95, the first usage is
consistent with the keyword
definition. The second should be
corrected as for page 69.
On page 98, "expected" s/b "shall"
(or maybe "should"?).
McDATA-137 E 65 6 General This needs a high level view of the important Add the necessary high level
relationships between IKE_SA and concepts and relationships.
Child_SA and other data objects.
McDATA-140 E 65 6 General General comment for the whole section. For Change naming convention to
a person who is working on IKE (v1), the SAM_ and change name of
referrals to IKEv2 all over the place are protocol to FC Key Exchange.
confusing. If IKE is just used as design
base to save time, mention it in the
beginnning and change names with IKE
prefix, such as IKE_SA_INIT, to names with
other prefix, such as SAM_SA_INIT. And
change the name of protocol to something
like FC Key Exchange.
Page 70 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-64 E 65 6.1.1 "FC Authentication and Key Management Make recommended change.
Protocol" from clause 5 is a real mouthful of
a title. Can we simply say "FC
Authentication" with a glossary statement
indicating that it includes Key creation?
CNT-75 E 65 6.1.1 p1,s2 The SA Management protocol … Use caps for first letter of
(Global) management (or not) consistently.
CNT-76 E 65 6.1.1 p3,s3 The SA management protocol begins with a The SA management protocol
set of four begins with a set of four
messages that establish a first SA. messages that establish the first
SA.
McDATA-144 E 65 6.1.1 third Clarify what "unique" means to the standard. unique s/b independent and
paragraph unique from the authentication
Is it illegal to use the same transaction ID transaction
that was previously used during
authentication? Does the value have to be
checked by implementations for
uniqueness?
McDATA-145 E 65 6.1.1 third Refer to Table 58 that defines the variable
paragraph notation.
CNT-74 E 65 6.1.1. p1,s1 A Fibre Channel Security Association (SA) A Fibre Channel Security
Management transaction occurs between an Association (SA) Management
SA_Initiator transaction occurs between an
and a SA_Responder. SA_Initiator
and an SA_Responder.
McDATA-146 E 65 Figure 15 Explain the notation in figure 15 before Add to table 58 or add another
reaching the figure in the document: table for a legend.
[ ] means optional?
{ } means ?
( ) means ?
SK means ?
McDATA-152 E 66 first Add a picture to portray what the sequence Add a picture to portray what the
paragraph of different IKE Payloads looks like. Is the sequence of different IKE
order important, for example? Payloads looks like. Is the order
important, for example?
McDATA-153 E 66 Table 58 Everything in the left column of table 58
should be added to the Definitions clause.
Payload type REKEY_SA is missing from
table.
McDATA-155 E 66 Table 58 Replace E with SK{...} to match usage later Use SK{…} notation consistently.
Encrypted
notation.
Page 71 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 67 5.6.2.3 The number << 1536 >> should be << 1 536
020 DHgIDList >>.
Parameter,
2nd to last
paragraph
CNT-77 E 67 6.1.1 p8,s1 … do a Diffie-hellman exchange. … do a Diffie-Hellman exchange.
(Global)
CNT-78 E 67 6.1.2 p3,s2 All but All except the headers of all the
the headers of all the messages that follow messages that follow are
are encrypted and integrity protected. encrypted and integrity protected.
CNT-79 E 67 6.1.3 Note 9, In IKEv2 the SA_Initiator … In IKEv2, the SA_Initiator ...
s2
IBM - Penokie- E 68 5.6.4 The acronym << SRP >> needs to be added
021 FCPAP_Acce to the acronym list.
pt Message
CNT-80 E 68 6.1.4 p4,s4 The keying material for the Child_SA is a The keying material for the
function of also the Child_SA is also a function of the
Diffie-Hellman value if KE Payloads are Diffie-Hellman value if KE
included in the IKE_Create_Child_SA Payloads are included in the
exchange. IKE_Create_Child_SA exchange.
CNT-81 E 68 6.1.4 p5,s1 … nonce in the Ni Payload, optionally a … nonce in the Ni Payload, an
Diffie- optional Diffie-Hellman value in the
Hellman value in the KEi Payload, … KEi Payload, ...
EMC-59 E 69 6.1.5 Clarify "resulting in a duplicate deletion that Replace with "as that may cause
may delete the wrong SA" another deletion which could
delete the wrong SA"
CNT-83 E 69 6.1.5 p4,s10 In that case, … In this case, ...
CNT-84 E 70 6.2.1 p1,s1 See CNT-33 regarding use of the term
"Switches"
McDATA-168 E 70 Next IKE Add "(See table 62.)"
Payload
McDATA-169 E 71 IKE Protocol This is out of order with the header table move it or lose it.
Version order of the fields.
CNT-85 E 71 table 60 bit 4 Version: Indicates that the transmitter is Version: Indicates that the
row capable of speaking a higher major transmitter is capable of
version number of the protocol … supporting a higher major
version number of the protocol ...
McDATA-174 E 73 6.3.1 There's already an overview in 6.1.2. Have one overview for
Maybe combine two overviews. IKE_SA_Init.
CNT-88 E 73 6.3.1 p1,s3 … but the SA_Initiators proposes a set of … but the SA_Initiator proposes a
Transforms, … set of Transforms, ...
Page 72 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-171 E 73 Table 63 bit 7 Duplicate information makes it hard to read. Rewrite without repeating as often.
description "If the recipient does not understand a
Payload type…"
CNT-86 E 73 table 63 bit 7 The sender shall set the Critical bit to zero to The sender shall set the Critical bit
row, p2,s1 specify that the recipient shall skip this to zero to specify the recipient
Payload if the recipient does not understand shall skip this
the Payload type. Payload if the recipient does not
understand the Payload type.
CNT-87 E 73 table 63 bit 7 The sender shall set the Critical bit to one to
row, p2,s2 specify the recipient shall reject this entire
message if the
recipient does not understand the Payload
type.
CNT-89 E 74 6.3.2.1 p1,s1 Is it necessary to capitiolize the first letter of: … attributes …
(Global) Attributes, Proposal(s), Protocol, Transform?
If so, Proposal(s), Protocol, and Attribute(s)
is not consistent in this subclause.
CNT-91 E 75 6.3.2.1 Note In IKEv2, the optional … In IKEv2 the optional …
14
CNT-93 E 75 6.3.2.1 p3,s1 … Proposal number … … Proposal Number …
CNT-90 E 75 6.3.2.1 p6,s5 If the SA_Initiator wanted to propose only a If the SA_Initiator wanted to
subset propose only a subset
of those - say (AES_CBC and HMAC_MD5) of those (e.g., (AES_CBC and
or (AES_CTR and HMAC_SHA1) - there is HMAC_MD5) or (AES_CTR and
no way … HMAC_SHA1)), there is no way …
CNT-92 E 76 6.3.2.1 p6 Incorrect references to table 66 (twice) References should be to table 65.
CNT-94 E 77 6.3.2.1 … all of the Proposal numbers … … all of the Proposal Numbers …
Proposal
Number:
EMC-62 E 77 Table 67 and Cite source of values When values are same as IKEv2,
others need to say so for each table.
CNT-96 E 78 6.3.2.1 SPI: SPI size or SPI Size fix
CNT-97 E 78 6.3.2.1 If the SA_Initiator makes use of the If the SA_Initiator makes use of a
Transform Transform optional to the SA_Responder, Transform that is optional to the
Type: the SA_Initiator includes a Transform SA_Responder, the SA_Initiator
substructure with Transform_ID set to the shall include a Transform
NONE/NULL transform identifier as one of substructure with Transform_ID
the options. set to the NONE/NULL transform
Difficult to parse. identifier as one of the options. (?)
McDATA-189 E 78 Note 16 Don't understand what the last sentence Clarify.
means.
Page 73 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-187 E 78 SPI: "shall not present" should be "shall not be
present".
McDATA-188 E 78 Transform Remove NULL.
type: last
sentence
McDATA-199 E 81 General - last Many places in this document, text that has Clean up usage of "IKEv2" or
paragraph been cut and pasted from the IKEv2 spec remove term.
still contains references to IKEv2. Should
these be changed to "this protocol"? You
might want to do a global search for "IKEv2"
and decide which need to be changed.
CNT-99 E 82 6.3.2.3 p2,s1 Note that only a single attribute type … Note that only a single Attribute
Type …
McDATA-207 E 82 last sentence "key width" should be "key length".
ENDL-008 E 83 5.9.5 Login process. In which case, the Login process, when the
Authenticatio
n and Login,
1st p after
table 56, s
3&4
Brocade-66 E 83 6.3.2.4 The two values specified "TBD" are correct. Make recommended change
The TBD should be removed and the values
removed from parentheses.
McDATA-209 E 83 6.3.2.5 Seems out of place. Move this section to the beginning
fo 6.3.2.
CNT-101 E 83 6.3.2.5 p1,s3 If there are multiple proposals, the If there are multiple proposals, the
SA_Responder shall select a single SA_Responder shall select a
proposal number and return all of the single Proposal Number and
Proposal substructures with that Proposal return all of the Proposal
number. substructures with that Proposal
Number.
McDATA-210 E 84 Note 18 "lengthed" should be "length".
ENDL-009 E 85 6 Security There are numerous instances of 'node' as Replace all instances of 'node'
Association well as numerous instances where 'node' with 'entity'.
Management obviously has been changed to 'entity'.
Protocol,
Global in
subclause
CNT-102 E 85 6.4.1 p3,s2 the SA_Initiator … The SA_Initiator …
CNT-103 E 85 6.4.1 p3,s3 The final fields (starting with SAi2) are The final fields, starting with SAi2,
described in the description of the are described in the description of
IKE_Create_Child_SA message. the IKE_Create_Child_SA
message.
Page 74 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-104 E 85 6.4.1 p4 The SA_Responder asserts its identity with The SA_Responder specifies its
the IDr Payload, authenticates its identity identity in the IDr Payload,
with the AUTH authenticates its identity with the
Payload, and completes negotiation of a AUTH
Child_SA with the additional fields described Payload, and completes
below in the negotiation of a Child_SA with the
IKE_Create_Child_SA message. additional fields specified in the
Difficult to parse this sentence. IKE_Create_Child_SA message
(see 6.5).
CNT-105 E 86 6.4.2 p1,s4 … are computed as specified in 6.8.11 and … are computed as specified in
in 6.8.12. 6.8.11 and 6.8.12.
CNT-106 E 86 6.4.2 p2,s1 The encryption and integrity protection The encryption and integrity
algorithms are modelled after the ESP protection algorithms are modeled
algorithms described in after the ESP algorithms described
RFC 2104, 2406, 2451. in
RFC 2104, RFC 2406, and RFC
2451.
CNT-107 E 86 6.4.2 p2,s3 We assume a block cipher with a fixed block A block cipher with a fixed block
size and an integrity check algorithm that size and an integrity check
computes a fixed length checksum over a algorithm that computes a fixed
variable size message. length checksum over a variable
size message is assumed.
CNT-108 E 87 6.4.3 p1,s1 The Identification Payloads allow peers to The Identification Payload allows
assert an identity to one another. peers to specify an identity to one
another.
CNT-110 E 87 table 86 note missing period add period to end of sentence
a
ENDL-010 E 88 6.1.4 which may be that may be
IKE_Create_
Child_SA
Protocol
Overview,
last p in
subclause, s
1
ENDL-011 E 88 6.1.5 convey send
IKE_Informati
onal Protocol
Overview, p
1, s 1
Page 75 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-012 E 88 6.1.5 'certain' adds no value Delete the word 'certain'.
IKE_Informati
onal Protocol
Overview, p
1, s 1
ENDL-013 E 88 6.1.5 events, by using events using [note, no comma]
IKE_Informati
onal Protocol
Overview, p
1, s 1
McDATA-216 E 89 4th "depending from" should be "depending on".
paragraph
ENDL-017 E 89 6.1.5 some response, else a response. Otherwise,
IKE_Informati
onal Protocol
Overview, 1st
p after figure
16, s 3
ENDL-018 E 89 6.1.5 will assume assumes
IKE_Informati
onal Protocol
Overview, 1st
p after figure
16, s 3
ENDL-019 E 89 6.1.5 'in the network' is not appropriate to Fibre Delete the cited text.
IKE_Informati Channel.
onal Protocol
Overview, 1st
p after figure
16, s 3
ENDL-020 E 89 6.1.5 will retransmit retransmits
IKE_Informati
onal Protocol
Overview, 1st
p after figure
16, s 3
Page 76 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-022 E 89 6.1.5 'also' adds no value Delete the word 'also'.
IKE_Informati
onal Protocol
Overview, 1st
p after figure
16, s 3
ENDL-021 E 89 6.1.5 That response The response
IKE_Informati
onal Protocol
Overview, 1st
p after figure
16, s 4
ENDL-023 E 89 6.1.5 'by chance' adds no value Delete the cited text.
IKE_Informati
onal Protocol
Overview, 1st
p after note
10, s 7
ENDL-024 E 89 6.1.5 in the network in the fabric
IKE_Informati
onal Protocol
Overview, 1st
p after note
10, s 7
ENDL-016 E 89 6.1.5 which generated that generated
IKE_Informati
onal Protocol
Overview, 1st
p on pg, s 1
IBM - Penokie- E 89 6.1.5 The term << will >> needs to be replaced
022 IKE_Informati with << shall >> in two places.
onal Protocol
Overview, 1st
paragraph
after figure
16
Page 77 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 89 6.1.5 The statement << If by chance both ends of
023 IKE_Informati a set of SAs independently >> should be
onal Protocol <<If both ends of a set of SAs
Overview, 1st independently >>
paragraph
after note
ENDL-027 E 89 6.1.5 which implicitly closes implicitly closing
IKE_Informati
onal Protocol
Overview,
2nd p after
note 10, 2nd
to last s in p
ENDL-028 E 89 6.1.5 'on a clean base' adds no value Delete the cited text.
IKE_Informati
onal Protocol
Overview,
2nd p after
note 10, last
s in p
ENDL-025 E 89 6.1.5 should they persist if they persist
IKE_Informati
onal Protocol
Overview,
2nd p after
note 10, s 1
ENDL-026 E 89 6.1.5 time periods timeout periods
IKE_Informati
onal Protocol
Overview,
2nd p after
note 10, s 2
IBM - Penokie- E 89 6.1.5 The statement << An entity may then rebuild
024 IKE_Informati the SAs it needs on a clean base under a
onal Protocol new IKE_SA. >> should be << An entity may
Overview, then rebuild the SAs under a new IKE_SA.
2nd to last >>
paragraph
Page 78 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-111 E 89 6.4.5 p3,s2 The Type attribute has different The Type attribute has different
semantic depending from the Protocol to semantics depending on the
which the Selector is applied to. Protocol to which the Selector is
applied to.
CNT-112 E 89 6.4.5 p3,s3 For the ESP_Header Protocol, that operates For the ESP_Header Protocol that
at FC-2 layer, the Type range is a range of operates at FC-2 layer, the Type
FC-2 Types. range is a range of FC-2 Types.
CNT-113 E 89 6.4.5 p3,s4 For the CT_Authentication Protocol, that For the CT_Authentication
operates at CT layer, the Type range is a Protocol that operates at CT layer,
range of CT GS_Subtypes. the Type range is a range of CT
GS_Subtypes.
CNT-115 E 89 6.4.5 the length of this Traffic Selector the length of this Traffic Selector
Selector Substructure, and shall be set to 28. Substructure. The Selector Length
Length: field shall be set to 28.
IBM - Penokie- E 90 6.2.1 General To you really mean << in this clause are
025 Structure, relative to the Message >>? This clause is
Last clause 6. Or do you mean this subclause as
paragraph in << 6.2 >>?
IBM - Penokie- E 90 6.2.2 Do you really mean << in this clause >>?
026 IKE_Header This clause is clause 6. Or do you mean this
Payload, 3rd subclause as in << 6.2 >>?
paragraph
under table
59
IBM - Penokie- E 91 6.2.2 The statement << Since this specification is
028 IKE_Header implementing IKEv2, >> should be << Since
Payload, 1st this standard is implementing IKEv2, >>
paragraph
under table
60
IBM - Penokie- E 91 6.2.2 The statement << of speaking a higher
027 IKE_Header major >> should be << of supporting a
Payload, higher major >>.
Table 60
Version
description
CNT-117 E 91 6.4.6 Why is first letter in "Certificates" in caps? certificates
Certificate
Encoding:
Page 79 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-116 E 91 Table 89, … with a 20 bytes SHA-1 hash ... … with a 20 byte SHA-1 hash ...
Certificate
Syntax for
Values 12
and 13
IBM - Penokie- E 92 6.2.3 In this note << NOTE 11 - These codes are
029 Chaining from the IETF IKEv2 specification, and are
Header, Note registered by IANA. >> it is not clear what
under table codes are being referred to. This needs to
62 be fixed.
Brocade-38 E 92 6.4.7 The word "must" should be replaced with Make recommended correction
"shall" here and on page 110.
CNT-118 E 92 6.4.7 p4,s2 … not defined in this document. … not defined in this standard.
CNT-119 E 92 6.4.7 p5,s2 If so the Certificate Authority … If so, the Certificate Authority …
CNT-121 E 92 6.4.7 p6,s1 Certificate revocation checking must be Certificate revocation checking
considered … shall be considered ...
CNT-122 E 92 6.4.7 p6,s7 There may be cases where there is a There may be cases where there
preferred CA, but an alternate may be is a preferred CA, but an alternate
acceptable (perhaps after may be acceptable, perhaps after
prompting a human operator). prompting a human operator.
CNT-123 E 93 6.5 p5,s1 … optionally a Diffie- Hellman value in the … an optional Diffie-Hellman value
KEi Payload, … in the KEi Payload, …
CNT-124 E 93 6.5 p6,s1 The SA_Responder replies (using the same The SA_Responder replies, using
Message_ID to respond) … the same Message_ID to respond,
...
CNT-125 E 93 6.5 p6,s3 The SA_Initiator should repeat the request, The SA_Initiator should repeat the
but now with … request with …
McDATA-218 E 94 1st "composes" should be "compose".
paragraph
CNT-126 E 94 6.6.1 p3,s2 The Recipient of an IKE_Informational The Recipient of an
protocol request shall send some response IKE_Informational protocol request
(else the Sender shall send some response,
assumes the message was lost in the otherwise the Sender
network and retransmits it). assumes the message was lost in
the network and retransmits it.
IBM - Penokie- E 95 6.3.2.1 ###################################
030 Payload
Structure, 1st
paragraph
under note
13
Page 80 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 95 6.3.2.1 The statement << This effectively proposes
032 Payload four combinations of algorithms, >> should
Structure, be << The result is four combinations of
2nd algorithms, >>
paragraph
after note 14
IBM - Penokie- E 95 6.3.2.1 ###################################
033 Payload
Structure,
2nd
paragraph
after note 14
IBM - Penokie- E 95 6.3.2.1 ###################################
031 Payload
Structure,
Second
paragraph
under note
14
CNT-127 E 95 6.6.1 p4,s4 To delete an SA, an IKE_Informational To delete an SA, an
message with one or more Delete IKE_Informational message with
Payloads is sent listing the SPIs (as they one or more Delete
would be expected in the headers of Payloads is sent listing the SPIs,
inbound packets) of as they would be expected in the
the SAs to be deleted. headers of inbound packets, of
the SAs to be deleted.
CNT-128 E 95 6.6.1 p5,s4 In that case, … In this case, ...
CNT-129 E 95 6.6.1 p6,s2 Note that this specification nowhere Note that this standard does not
specifies … specify ...
CNT-130 E 95 6.6.1 p6,s4 If connection state becomes sufficiently If connection state becomes
messed up, ambiguous, ...
McDATA-219 E 95 As on page 69, it's not clear what a Fix similarly to McDATA comment
"connection" is here. for page 69.
CNT-132 E 96 6.6.2 Notify … (see below). … (see table 96 and table 97).
Message
Type:
Page 81 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-131 E 96 6.6.2 p1,s1 The Notify Payload is used to transmit The Notify Payload is used to
informational data, such as error conditions transmit informational data (e.g.,
and state transitions, error conditions and state
to an IKE peer. A Notify Payload may transitions) to an IKE peer. A
appear in a response message (usually Notify Payload may appear in a
specifying why a response message usually
request was rejected), in an specifying why a request was
IKE_Informational message (to report an rejected, in an IKE_Informational
error not in an IKE request), or message to report an error not in
in any other message to indicate sender an IKE request, or
capabilities or to modify the meaning of the in any other message to indicate
request. The Notify sender capabilities or to modify the
Payload format is shown in table 95. meaning of the request. The Notify
Payload format is shown in table
95.
Brocade-9 E 97 6.6.2 Another forbidden word is "cannot". It In 6.6.2 on page 97,
usually means "shall not", but sometimes "recipient cannot handle" s/b
has other meanings. "recipient does not support"
In 6.8.7 on page 108,
"The SA_Initiator, however, cannot
receive" s/b "The SA_Initiator,
however, is unable to receive".
In 6.8.10 on page 110,
"two endpoints cannot reconstruct"
s/b "two endpoints is unable to
reconstruct".
CNT-133 E 97 table 96 Type Indicates the IKE message was received Indicates the IKE message
7 Description was … received was ...
CNT-134 E 97 table 96 Type This Notify shall This Notify shall
9 Description not be sent in a response; the invalid not be sent in a response and the
request invalid request
shall not be acknowledged. shall not be acknowledged.
IBM - Penokie- E 98 6.3.2.1 This note does not belong here. It should
036 Payload either be deleted or moved to an informative
Structure, annex with all the wants and wishes
NOTE 17 removed.
IBM - Penokie- E 98 6.3.2.1 The statement << because the SPI is
035 Payload obtained from the IKE_Header Payload. >>
Structure, should be deleted as it contains no useful
SPI size information.
description
Page 82 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-135 E 98 table 96 Type There are There are
17 two bytes of data associated with this two bytes of data associated with
Description notification: the accepted DH Group number this
in notification and the accepted DH
big endian order. Group number is in
big endian byte order.
CNT-136 E 98 table 96 Type Indicates that none of the Indicates that none of the
38 addresses/protocols in addresses or protocols in
Description the supplied Traffic Selectors is acceptable. the supplied Traffic Selectors is
acceptable.
CNT-137 E 98 table 96 Type … on which it was … on which it was delivered, and
39 delivered (and which caused the packet to which caused the packet to be
Description be dropped.
dropped).
IBM - Penokie- E 99 6.3.2.1 The numbers << 1024 .. 65535 >> should
037 Payload be << 1 024 .. 65 535 >>
Structure,
Table 70
CNT-141 E 99 6.6.3 p1,s1 The Delete Payload contains Protocol The Delete Payload contains
specific Security Association identifiers Protocol specific SPIs that the
(SPIs) that the sender sender
has removed from its Security Association has removed from its Security
database and that therefore are no longer Association database and thus are
valid. no longer valid.
EMC-68 E 99 Table 97 Need to explain more about rekeying for Add a reference to the discussion
REKEY_SA notify in Section 6.8.7 and point out that
REKEY_SA is needed to say that
this is a rekeying as opposed to a
new SA establishment.
CNT-138 E 99 table 97 Type This notification asserts that … This notification specifies that ...
16384
Description
CNT-139 E 99 table 97 Type This notification asserts that … This notification specifies that ...
16386
Description
CNT-140 E 99 table 97 Type … based on an … based on an
16392 HTTP-based URL (and hence presumably HTTP-based URL, and
Description would prefer to receive certificate presumably
specifications in that format). would prefer to receive certificate
specifications in that format.
IBM - Penokie- E 100 6.3.2.1 The numbers << 1024 .. 65535 >> should
038 Payload be << 1 024 .. 65 535 >>
Structure,
Table 71
Page 83 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 100 6.3.2.1 The numbers << 1024 .. 65535 >> should
040 Payload be << 1 024 .. 65 535 >>
Structure,
Table 72
IBM - Penokie- E 100 6.3.2.1 The numbers << 1024 .. 65535 >> should
042 Payload be << 1 024 .. 65 535 >>
Structure,
Table 72
IBM - Penokie- E 100 6.3.2.1 The statement << Appendix B of IKEv2 >>
041 Payload should be << IKE2 >> as you cannot
Structure, reference a section in another document.
Table 73
CNT-142 E 100 6.6.3 p3 Deletion of the IKE_SA is indicated by a Deletion of the IKE_SA is
Security Protocol_ID of one but no SPIs. indicated by a Security
Deletion of a Protocol_ID of one with no SPIs.
Child_SA, such as ESP_Header or Deletion of a
CT_Authentication, contains the Security Child_SA (e.g., ESP_Header or
Protocol_ID of that Protocol CT_Authentication) is indicated by
and the SPI shall be the SPI value the the Security Protocol_ID of that
sending endpoint would expect in inbound Protocol
ESP_Header and the SPI set to the SPI value
frames or CT_Authenticated CT_IUs. the sending endpoint would expect
in inbound ESP_Header
frames or CT_Authenticated
CT_IUs.
CNT-143 E 100 6.6.4 p2,s1 … sender is capable to accepting … … sender is capable of accepting
...
CNT-144 E 100 6.6.4 p2,s2 … defined in this specification … … defined in this standard ...
CNT-145 E 100 6.6.4 p2,s4 An implementation is not required to send An implementation is not required
any Vendor_ID Payload at all. to send Vendor_ID Payloads.
CNT-147 E 101 6.7 extra linefeeds above heading remove
IBM - Penokie- E 101 6.3.2.1 The statement << A compliant
043 Payload implementation shall understand all
Structure, mandatory >> should be << A compliant
Last implementation shall support all mandatory
paragraph >>
IBM - Penokie- E 101 6.3.2.1 The statement << Protocol it supports
044 Payload (though it need not accept Proposals with
Structure, unacceptable suites). A >> should be <<
Last Protocol it supports. Although that
paragraph implementation need not accept Proposals
with unacceptable suites. A >>
Page 84 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 101 6.3.2.2 The statement << (1024 bits). Support for
045 Mandatory group 14 (2048 bit) is >> should be << (1
Transform_ID 024 bits). Support for group 14 (2 048 bit) is
s, 1st item d) >>
IBM - Penokie- E 101 6.3.2.2 The statement << No system should only
047 Mandatory implement the mandatory algorithms and
Transform_ID expect them to be the best choice for all
s, 1st customers. >> has no propose in a standard
paragraph and should be deleted.
after 3rd
a,b,c list
IBM - Penokie- E 101 6.3.2.2 ###################################
048 Mandatory
Transform_ID
s, 2nd
paragraph
after a,b,c
lists
IBM - Penokie- E 101 6.3.2.2 ###################################
049 Mandatory
Transform_ID
s, 2nd
paragraph
after a,b,c
lists
ENDL-032 E 101 6.3.2.2 'It is likely that additional transforms will be Delete the cited text.
Mandatory added in the future,' is inappropriate for a
Transform_ID T11 standard.
s, last p on
pg, s 1
ENDL-033 E 101 6.3.2.2 'some users may want to use private suites' Delete the cited text.
Mandatory Isn't this covered by the vendor specific
Transform_ID Transform_ID values in table 73?
s, last p on
pg, s 1
ENDL-034 E 101 6.3.2.2 'especially for IKE where implementations Delete the cited text.
Mandatory should be capable of supporting different
Transform_ID parameters, up to certain size limits.' FC-SP
s, last p on references IKEv2, not IKE.
pg, s 1
Page 85 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-035 E 101 6.3.2.2 'In support of this goal, all implementations Change it to 'Implementations'.
Mandatory of IKEv2' is of no value.
Transform_ID
s, last p on
pg, s 2
CNT-146 E 101 6.6.4 p3,s2 … described throughout this document … … described in this standard …
CNT-148 E 101 6.7.1 p1,s1 … after that Authentication Initiator … … after the Authentication Initiator
…
CNT-149 E 101 6.7.1 p1,s3 In this case the … In this case, the …
CNT-150 E 101 6.7.1 p2,s3 In the case both parties … If both parties …
IBM - Penokie- E 102 6.3.2.2 The statement << Transform_IDs may be
050 Mandatory entered (by a user or system administrator),
Transform_ID to enable negotiating such groups. >>
s, 2nd should be << Transform_IDs may be
paragraph entered by a user or system administrator,
after a,b,c to enable negotiating such groups. >>
lists
IBM - Penokie- E 102 6.3.2.3 ###################################
051 Transform
Attributes
Definition, 1st
paragraph
IBM - Penokie- E 102 6.3.2.3 The statement << Note that only a single
052 Transform attribute type (Key Length) is defined, >>
Attributes should be << Only a single attribute type
Definition, 4th (Key Length) is defined, >>
paragraph
under table
75
ENDL-036 E 102 6.3.2.3 which require that require
Transform
Attributes
Definition,
last p on pg,
last s in p
CNT-151 E 102 6.7.1 p3,s1 … is indicated by the Authentication Initiator … is indicated by the
by including … Authentication Initiator including …
CNT-152 E 102 6.7.1 p4,s1 … by setting to one the Continuation_Flag in … by setting the
the AUTH Flags field of the first AUTH Continuation_Flag to one in the
message sent. AUTH Flags field of the first AUTH
message sent.
Page 86 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
CNT-153 E 102 6.7.1 p4,s3 … they shall set to one the … they shall set the
Continuation_Flag in all the subsequent Continuation_Flag to one in all the
AUTH messages belonging to the subsequent AUTH messages
performed belonging to the performed
Authentication protocol, and shall set to zero Authentication protocol, and shall
the Continuation_Flag when ... set the Continuation_Flag to zero
when ...
CNT-154 E 102 6.7.1 p4,s4 The IKE_SA_Init message after the The IKE_SA_Init message after
Authentication protocol transaction should the Authentication protocol
be transaction should be
received in AUTH_TOV. received before AUTH_TOV.
EMC-70 E 102 6.7.2 Describe advantages of using IKEv2 AUTH Simpler exchange, less
without prior authentication protocol. cryptographic mechanism involved
in binding to identity, hides
identities from passive attacker.
McDATA-223 E 102 6.7.2 This is very confusing. I assume this AUTH Pick a better name for using IKE
option means using IKE's own without a prior authentication
authentication. If so, why give it another protocol.
name? If not, what are the differences?
CNT-155 E 102 6.7.2 p1,s2 We refer to such a protocol with the name In this case, the protocol is named
IKEv2-AUTH. IKEv2-AUTH.
CNT-156 E 102 6.7.2 p1,s3 … shall be indicated by the Authentication … shall be indicated by the
Initiator by including … Authentication Initiator including …
IBM - Penokie- E 103 6.3.2.3 The numbers << 16384 .. 32767 >> should
053 Transform be << 16 384 .. 32 767 >>
Attributes
Definition,
Table 76
IBM - Penokie- E 103 6.3.2.4 Use The number << 80000001h >> and <<
054 of the 80000002h >> should be << 8000 0001h >>
Security_Ass and << 8000 0002h >>.
ociation
Payload with
CT_Authentic
ation, Item e)
IBM - Penokie- E 103 6.3.2.5 The statement << from the offers (or reject
056 Negotiation all offers if none are acceptable). >> should
of Security be << from the offers or reject all offers if
Association none are acceptable. >>
Parameters,
1st
paragraph
Page 87 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 103 6.3.2.5 The statement << Negotiating Diffie-Hellman
057 Negotiation groups presents some special challenges.
of Security SA offers >> should be << When negotiating
Association Diffie-Hellman groups SA offers >>
Parameters,
2nd
paragraph
CNT-157 E 103 6.7.3 p1,s5 In this last case the IKE_Auth message If certificates are used, the
does carry the optional Certificate and IKE_Auth message shall carry the
Certificate optional Certificate and Certificate
Request Payloads. Request Payloads.
CNT-158 E 103 6.7.3 p3 Redundent with sentence in the first remove the paragraph
paragraph.
CNT-159 E 103 6.7.3 p4,s1 … selects IKEv2-AUTH as Authentication … selects IKEv2-AUTH as the
protocol … Authentication protocol ...
CNT-160 E 103 6.7.3 p4,s2 The Authentication Responder (that The Authentication Responder that
becomes the SA_Initiator) shall then send becomes the SA_Initiator, shall
an then send an
IKE_SA_Init message to the Authentication IKE_SA_Init message to the
Initiator (that becomes the SA_Responder). Authentication Initiator that
becomes the SA_Responder.
McDATA-225 E 104 6.8 Good stuff that should be seen sooner in Move this section to 6.2.
doc.
IBM - Penokie- E 104 6.3.2.5 The statement << may have ranges or could
058 Negotiation have multiple acceptable >> should be <<
of Security may have ranges or multiple acceptable >>
Association
Parameters,
note 18
IBM - Penokie- E 104 6.3.2.5 ###################################
059 Negotiation
of Security
Association
Parameters,
note 18
ENDL-038 E 104 6.3.2.5 could have may have
Negotiation
of Security
Association
Parameters,
Note 18, s 1
Page 88 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-039 E 104 6.3.2.5 which they deem that they deem
Negotiation
of Security
Association
Parameters,
note 18, s 3
ENDL-040 E 104 6.3.4 Nonce liveness accessibility
Payload,
Nonce Data,
p 1, s 1
CNT-161 E 104 6.8.1 p1,s1 All messages in IKE exist in pairs: a request All messages in IKE exist in pairs
and a response. (i.e., a request and a response).
IBM - Penokie- E 105 6.4.1 The statement << from eavesdroppers >>
060 Overview, 1st should be deleted as it states no useful
paragraph information.
IBM - Penokie- E 105 6.4.1 The statement << may generate
061 Overview, SKEYSEED (as specified in clause 6.8.12),
2nd from >> should be << may generate
paragraph SKEYSEED (see 6.8.12), from >>
IBM - Penokie- E 105 6.4.1 The statement << (authentication, a.k.a.
062 Overview, integrity protection). >> should be <<
2nd (authentication (i.e., integrity protection)). >>
paragraph
IBM - Penokie- E 105 6.4.1 The statement << The final fields (starting
063 Overview, with SAi2) are described in the description of
3rd the IKE_Create_Child_SA message. >>
paragraph should be << The final fields, starting with
SAi2, are described in the description of the
IKE_Create_Child_SA message. >>
IBM - Penokie- E 105 6.4.1 In the statement << with the additional fields
064 Overview, 4th described below in the
paragraph IKE_Create_Child_SA message. >> the
term << below>> is not specific enough.
This needs to be a reference to a specific
subclause.
IBM - Penokie- E 106 6.4.2 The statement << Often it is the only IKE
065 Encrypted Payload in the message. >> should be <<
Payload, 1st The Encrypted Payload may be the only IKE
paragraph Payload in the message. >>
Page 89 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 106 6.4.2 The statement << after the ESP algorithms
066 Encrypted described in RFC 2104, 2406, 2451 >>
Payload, 2nd should be << after the ESP algorithms
paragraph described in RFC 2104, RFC 2406, and
RFC 2451 >>
IBM - Penokie- E 106 6.4.2 ###################################
068 Encrypted
Payload, 2nd
paragraph
IBM - Penokie- E 106 6.4.2 ###################################
067 Encrypted
Payload, 2nd
paragraph
ENDL-048 E 106 6.4.2 Recipients shall accept any value. Recipients shall ignore the
Encrypted contents of this field.
Payload,
Initialization
Vector, p 1, s
2
ENDL-041 E 106 6.4.2 'in a message' adds no value. Delete the cited text.
Encrypted
Payload, p 1,
s2
ENDL-042 E 106 6.4.2 it the Encrypted Payload
Encrypted
Payload, p 1,
s2
ENDL-043 E 106 6.4.2 RFC 2104, 2406, 2451 RFC 2104, RFC 2406, and RFC
Encrypted 2451
Payload, p 2,
s1
ENDL-044 E 106 6.4.2 This document This standard
Encrypted
Payload, p 2,
s2
ENDL-045 E 106 6.4.2 those documents RFC 2104, RFC 2406, and RFC
Encrypted 2451
Payload, p 2,
s2
ENDL-046 E 106 6.4.2 should be consulted for describe the
Encrypted
Payload, p 2,
s2
Page 90 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-047 E 106 6.4.2 We assume This standard assumes
Encrypted
Payload, p 2,
s3
Brocade-32 E 106 6.8.4 The "invalid" keyword is used incorrectly in Modify the clause to remove the
this clause. word invalid.
ENDL-051 E 107 6.4.3 / is not a defined acronym 'SA_Initiator/SA_Responder' s/b
Identification 'SA_Initiator or SA_Responder'
Payload, 1st
p after table
83, s 1
ENDL-050 E 107 6.4.3 (NAA=6h) (i.e., NAA = 6h)
Identification
Payload,
table 83
footnote a
McDATA-229 E 107 6.8.6 Most of the section is duplicate of 6.3.2 Combine 6.3.2 and 6.8.6.
except the last paragraph.
ENDL-052 E 109 6.4.3 For a certain traffic flow For a given traffic flow
Identification
Payload, 3rd
p on pg, last
s in p
ENDL-055 E 109 6.4.3 range of CT GS_Subtypes range of CT GS_Subtypes (see
Identification FC-GS-4)
Payload, 4th
p on pg, 2nd
to last s
ENDL-057 E 109 6.4.3 D_ID/S_ID D_ID and S_ID
Identification
Payload, 4th
p on pg, last
s in p
ENDL-053 E 109 6.4.3 R_CTLs values and Types R_CTLs values and Types (see
Identification FC-FS)
Payload, 4th
p on pg, s 1
ENDL-054 E 109 6.4.3 to which the Selector is applied to to which the Selector is applied
Identification [delete the second 'to']
Payload, 4th
p on pg, s 3
Page 91 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-056 E 109 6.4.3 Writing the relationships between Protocols Put the Protocol-to-Type
Identification and Types out longhand lacks clarity. information in a table.
Payload, 4th
p on pg, s
3,4,5
IBM - Penokie- E 109 6.4.5 Traffic The statement << A range of FC addresses
071 Selector is a set of two 3-bytes values: the first value
Payload, 1st is the beginning FC_ID (inclusive), >>
paragraph should be << A range of FC addresses is a
under set of two 3-bytes values. The first value is
number of TS the beginning FC_ID (inclusive), >>
definitions
IBM - Penokie- E 109 6.4.5 Traffic ###################################
072 Selector
Payload, 2nd
paragraph
under
number of TS
definitions
IBM - Penokie- E 110 6.4.6 The statement << this information from
074 Certificate elsewhere using an
Payload, 1st HTTP_CERT_LOOKUP_SUPPORTED
paragraph Notify payload. >> should be << this
information using an
HTTP_CERT_LOOKUP_SUPPORTED
Notify payload. >>
IBM - Penokie- E 110 6.4.6 ###################################
075 Certificate
Payload, 1st
paragraph
ENDL-059 E 110 6.4.6 Make the sentence beginning with 'Note
Certificate that' an actual note. Move the last sentence
Payload, p 1 in this paragraph to the beginning of a new
paragraph.
IBM - Penokie- E 111 6.4.6 The statement << These encodings allow
076 Certificate IKE messages to remain short by replacing
Payload, long data structures with a 20 >> should be
Table 89 << These encodings replace long data
structures with a 20 >>
IBM - Penokie- E 111 6.4.6 The statement <<This improves efficiency
077 Certificate when the endpoints have certificate data
Payload, cached. >> should be deleted as it contains
Table 89 no useful standards information.
Page 92 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-064 E 112 6.4.7 must shall
Certificate
Request
Payload, 1st
p after a,b,c
list, s 1
ENDL-065 E 112 6.4.7 could may
Certificate
Request
Payload, 1st
p after a,b,c
list, s 3
ENDL-066 E 112 6.4.7 which would still enable that would still enable
Certificate
Request
Payload, 1st
p after a,b,c
list, s 3
IBM - Penokie- E 112 6.4.7 The statement << (see section 4.1.2.7 of
078 Certificate RFC 3280) from >> should be << (RFC
Request 3280) from >> as you cannot reference a
Payload, 2nd numbered section in another document.
paragraph
under
Certification
Authority
IBM - Penokie- E 112 6.4.7 ###################################
079 Certificate
Request
Payload, 2nd
paragraph
under
Certification
Authority
ENDL-061 E 112 6.4.7 (see section 4.1.2.7 of RFC 3280) (see RFC 3280)
Certificate
Request
Payload,
Certification
Authority, p
3, s 3
Page 93 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-062 E 112 6.4.7 which may be validated that may be validated
Certificate
Request
Payload,
Certification
Authority, p
4, s 2
ENDL-063 E 112 6.4.7 which satisfies that satisfies
Certificate
Request
Payload,
Certification
Authority, p
4, s 4
IBM - Penokie- E 112 6.4.7 The statement << Certificate revocation
080 Certificate checking must be considered during the
Request chaining process used to select a certificate.
Payload, last >> should be << Certificate revocation
paragraph checking shall be considered during the
chaining process used to select a certificate.
>>
IBM - Penokie- E 112 6.4.7 ###################################
081 Certificate
Request
Payload, Last
paragraph
IBM - Penokie- E 112 6.4.7 ###################################
082 Certificate
Request
Payload, Last
paragraph
IBM - Penokie- E 112 6.4.7 ###################################
083 Certificate
Request
Payload, Last
paragraph
Page 94 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 112 6.4.7 The statement << There may be cases
084 Certificate where there is a preferred CA, but an
Request alternate may be acceptable (perhaps after
Payload, last prompting a human operator). >> should be
paragraph deleted as it adds nothing new to the
statements already made in this paragraph.
IBM - Penokie- E 113 6.5 The statement << protocols are
085 IKE_Create_ cryptographically protected using the
Child_SA cryptographic algorithms >> should be <<
Message, 1st protocols are protected using the
paragraph cryptographic algorithms >>
ENDL-067 E 113 6.5 in this section in this subclause
IKE_Create_
Child_SA
Message,
2nd p on pg,
s1
IBM - Penokie- E 113 6.5 The statement << in this section the term
086 IKE_Create_ SA_Initiator refers to the endpoint initiating
Child_SA this protocol. >> should be << in this
Message, subclause the term SA_Initiator refers to the
2nd endpoint initiating this protocol. >>
paragraph
IBM - Penokie- E 113 6.5 The statement << may optionally contain a
087 IKE_Create_ KE Payload for an additional >> should be
Child_SA << may contain a KE Payload for an
Message, 3rd additional >>
paragraph
IBM - Penokie- E 113 6.5 The statement << and the Diffie-Hellman
088 IKE_Create_ value (if KE Payloads are included in the
Child_SA IKE_Create_Child_SA message). >> should
Message, 3rd be << and the Diffie-Hellman value if the
paragraph IKE_Create_Child_SA message. >>
IBM - Penokie- E 113 6.5 The statement << The SA_Responder
089 IKE_Create_ replies (using the same Message_ID to
Child_SA respond) with the accepted offer in an >>
Message, 3rd should be << The SA_Responder replies,
paragraph using the same Message_ID to respond,
after figure with the accepted offer in an >>
19
Page 95 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-068 E 113 6.5 which may be a subset that may be a subset
IKE_Create_
Child_SA
Message,
last p on pg,
s1
ENDL-069 E 114 6.6.1 convey send
{IKE_Informa
tional
Message}
Overview, p
1, s 1
ENDL-072 E 114 6.6.1 'the protection of' appears to be Delete the cited text in the cited
{IKE_Informa unnecessary. sentence or add it to the first
tional sentence in the paragraph.
Message}
Overview, p
2, s 2
ENDL-073 E 114 6.6.1 which generated that generated
{IKE_Informa
tional
Message}
Overview, p
2, s 2
ENDL-074 E 114 6.6.1 (or its successor if the IKE_SA was replaced Remove parentheses
{IKE_Informa for the purpose of rekeying)
tional
Message}
Overview, p
2, s 2
ENDL-080 E 114 6.6.1 'also' is unnecessary. Delete 'also'.
{IKE_Informa
tional
Message}
Overview, p
3, last s on
pg
ENDL-075 E 114 6.6.1 6.1.5 mentions Vendor_ID Payloads as Add Vendor_ID Payloads here to
{IKE_Informa appearing in IKE_Informational messages. match 6.1.5 and table 94.
tional
Message}
Overview, p
3, s 1
Page 96 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-076 E 114 6.6.1 some response (else a response. Otherwise,
{IKE_Informa
tional
Message}
Overview, p
3, s 2
ENDL-077 E 114 6.6.1 'in the network' is not appropriate to Fibre Delete the cited text.
{IKE_Informa Channel.
tional
Message}
Overview, p
3, s 2
ENDL-078 E 114 6.6.1 it) it [remvoe parenthesis]
{IKE_Informa
tional
Message}
Overview, p
3, s 2(3)
ENDL-079 E 114 6.6.1 That response The response
{IKE_Informa
tional
Message}
Overview, p
3, s 3
IBM - Penokie- E 114 6.6.1 The statement << peers may desire to
090 Overview, 1st convey control messages to each other
paragraph regarding errors or notifications of certain
events. >> should be << peers may convey
control messages to each other regarding
errors or notifications of certain events. >>
IBM - Penokie- E 114 6.6.1 The statement << which generated them (or
091 Overview, its successor if the IKE_SA was replaced for
2nd the purpose of rekeying). >> should be <<
paragraph which generated them or its successor if the
IKE_SA was replaced for the purpose of
rekeying. >>
IBM - Penokie- E 114 6.6.1 The statement << send some response
092 Overview, (else the Sender assumes the message was
3rd lost in the network and retransmits it). >>
paragraph should be << send some response else the
Sender assumes the message was lost in
the network and retransmits it. >>
Page 97 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-081 E 115 6.6.1 exist occur
{IKE_Informa
tional
Message}
Overview, 1st
p after figure
20, s 1
ENDL-085 E 115 6.6.1 since that would result in duplicate deletion resulting in a duplicate deletion
{IKE_Informa and could in theory delete the wrong SA that may delete the wrong SA.
tional
Message}
Overview,
2nd p after
figure 20, last
s in p
ENDL-082 E 115 6.6.1 'by chance' adds no value Delete the cited text.
{IKE_Informa
tional
Message}
Overview,
2nd p after
figure 20, s 2
ENDL-083 E 115 6.6.1 in the network in the fabric
{IKE_Informa
tional
Message}
Overview,
2nd p after
figure 20, s 2
ENDL-084 E 115 6.6.1 a node an entity
{IKE_Informa
tional
Message}
Overview,
2nd p after
figure 20, s 3
ENDL-090 E 115 6.6.1 which implicitly closes implicitly closing
{IKE_Informa
tional
Message}
Overview,
3nd p after
figure 20, 2nd
to last s in p
Page 98 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-091 E 115 6.6.1 It An entity
{IKE_Informa
tional
Message}
Overview,
3rd p after
figure 20, last
s in p
ENDL-092 E 115 6.6.1 'on a clean base' adds no value Delete the cited text.
{IKE_Informa
tional
Message}
Overview,
3rd p after
figure 20, last
s in p
ENDL-087 E 115 6.6.1 should they persist if they persist
{IKE_Informa
tional
Message}
Overview,
3rd p after
figure 20, s 1
ENDL-086 E 115 6.6.1 A node [twice] An entity
{IKE_Informa
tional
Message}
Overview,
3rd p after
figure 20, s
ENDL-088 E 115 1&3
6.6.1 Note that this specification nowhere This standard does not specify
{IKE_Informa specifies
tional
Message}
Overview,
3rd p after
figure 20, s 2
ENDL-089 E 115 6.6.1 If connection state becomes sufficiently An entity
{IKE_Informa messed up, a node
tional
Message}
Overview,
3rd p after
figure 20, s 4
Page 99 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 115 6.6.1 ###################################
093 Overview, 1st
paragraph
under figure
20
IBM - Penokie- E 115 6.6.1 ###################################
094 Overview, 1st
paragraph
under figure
20
IBM - Penokie- E 115 6.6.1 The statement << Delete Payloads for the
095 Overview, deleted SAs, since that would result in >>
2nd should be << Delete Payloads for the
paragraph deleted SAs, since that results in >>
under figure
20
IBM - Penokie- E 115 6.6.1 The statement << deletion and could in
096 Overview, theory delete the wrong SA. >> should be
2nd << deletion and may delete the wrong SA.
paragraph >>
under figure
20
IBM - Penokie- E 115 6.6.1 The statement << Note that this specification
097 Overview, nowhere specifies timeout periods, >>
3rd should be << This standard does not specify
paragraph timeout periods, >>
under figure
IBM - Penokie- E 115 20
6.6.1 The statement << If connection state
098 Overview, becomes sufficiently messed up, a node
3rd may close the IKE_SA which implicitly >>
paragraph should be << A node may close the IKE_SA
under figure which implicitly >>
IBM - Penokie- E 116 20
6.6.2 Notify The statement << informational data, such
099 Payload, 1st as error conditions and state transitions, to
paragraph an IKE peer. >> should be << informational
data (e.g.,error conditions and state
transitions), to an IKE peer. >>
IBM - Penokie- E 116 6.6.2 Notify ###################################
100 Payload, 1st
paragraph
Page 100 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 116 6.6.2 Notify In the statement << Values for this field are
101 Payload, type specific (see below). >> the below
Notification reference needs to be to a specific
Data subclause.
description
IBM - Penokie- E 116 6.6.2 Notify The statement << specifying why an SA
102 Payload, could not be established. >> should be <<
Notify specifying why an SA is not able to be
message established. >>
type
description
IBM - Penokie- E 116 6.6.2 Notify The statement << Types in the range 0 ..
103 Payload, 16383 are intended for reporting errors. >>
Notify should be << Types in the range 0 .. 16 383
message are intended for reporting errors. >>
type
description
ENDL-093 E 116 6.6.2 Notify an SA could not be established it was not possible to establish an
Payload, SA
Notify
Message
Type, p 1, s 2
EMC-75 E 116 6.8.18 Gratuitous blank page Remove blank page
IBM - Penokie- E 117 6.6.2 Notify The statement << (because it could easily
109 Payload, be forged). >> should be deleted as it
tabel96 row 6 contains no useful standards information.
IBM - Penokie- E 117 6.6.2 Notify The statement << has the critical bit set and
104 Payload, >> should be << has the critical bit set to
table 96 1st one and >>
row
IBM - Penokie- E 117 6.6.2 NotifyThe statement << This usually indicates that
105 Payload, the recipient has rebooted and forgotten the
table 96 2nd existence of an IKE_SA. >> should be
row deleted as it contains no information
relevant to the standard.
IBM - Penokie- E 117 6.6.2 Notify The statement << Indicates the recipient
106 Payload, cannot handle the version >> should be <<
Table 96 3rd Indicates the recipient is not able to handle
row the version >>
Page 101 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 117 6.6.2 Notify In the statement << This Notify shall not be
107 Payload, sent in a response; the invalid request shall
Table 96 row not be acknowledged. >> should be << This
5 Notify shall not be sent in a response to an
invalid request shall not be acknowledges'
response. >>
IBM - Penokie- E 117 6.6.2 Notify The statement << This usually indicates a
108 Payload, node has rebooted and forgotten an SA. >>
Table 96 row should be deleted as it contains no useful
6 standards information.
ENDL-094 E 117 6.6.2 Notify something may be wrong (because it could something may be wrong because
Payload, easily be forged). it may be forged.
table 96, type
11 row
IBM - Penokie- E 118 6.6.2 Notify The statement << its sender is only willing to
112 Payload, accept >> should be <<its sender is only
Table 96 row accepts >>
10
IBM - Penokie- E 118 6.6.2 Notify The statement << unacceptable because
113 Payload, the SA_Responder is unwilling to accept any
Table 96 row more Child_SAs on this IKE_SA. >> should
11 be << unacceptable because the
SA_Responder is not able to accept any
more Child_SAs on this IKE_SA. >>
IBM - Penokie- E 118 6.6.2 Notify The statement << delivered (and which
114 Payload, caused the packet to be dropped). >>
table 96 row should be << delivered and that caused the
13 packet to be dropped). >>
IBM - Penokie- E 118 6.6.2 Notify The number << 8191 >> should be << 8 191
115 Payload, >>.
Table 96 row
14
IBM - Penokie- E 118 6.6.2 Notify The statement << Reserved - Errors >>
116 Payload, should be << Reserved >>.
Table 96 row
14
IBM - Penokie- E 118 6.6.2 Notify The statement << 8192 .. 16383 >> should
117 Payload, be << 8 192 .. 16 383 >>
Table 96 row
15
IBM - Penokie- E 118 6.6.2 Notify The statement << Vendor Specific - Errors
118 Payload, >> should be << Vendor Specific>>
Table 96 row
15
Page 102 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 118 6.6.2 Notify ###################################
110 Payload,
table 96 row
8
IBM - Penokie- E 118 6.6.2 Notify The term << big endian >> is not defined in
111 Payload, this standard. This has to be fixed or the
Table 96 row term removed from the standard.
8
ENDL-095 E 118 6.6.2 Notify addresses/protocols address/protocol combinations
Payload,
table 96, type
38 row
ENDL-096 E 118 6.6.2 Notify (and which caused the packet to be and that caused the packet to be
Payload, dropped) dropped
table 96, type
39 row
IBM - Penokie- E 119 6.6.2 Notify All the type numbers need to be changed to
120 Payload, the ISO format (e.g. 16384 to 16 384)
Table 97
IBM - Penokie- E 119 6.6.2 Notify The statement << after a crash, >> should
119 Payload, be << after a xxx failure >> unless you want
Table 97 row to define the term << crash >> this needs to
1 be changed.
IBM - Penokie- E 119 6.6.2 Notify The statement << Selectors but that other
121 Payload, Traffic Selectors would also have been
Table 97 row acceptable, >> should be << Selectors but
2 that other Traffic Selectors may also have
been acceptable, >>
IBM - Penokie- E 119 6.6.2 Notify The statement << HTTP-based URL (and
122 Payload, hence presumably would prefer to receive
Table 97 row certificate specifications in that format). >>
3 should be << HTTP-based URL. >>
IBM - Penokie- E 119 6.6.2 Notify The statement << Reserved - Errors >>
123 Payload, should be << Reserved >>.
Table 97 row
5
IBM - Penokie- E 119 6.6.2 Notify The statement << Vendor Specific - Errors
124 Payload, >> should be << Vendor Specific>>
Table 97 row
6
IBM - Penokie- E 119 6.6.3 Delete ###################################
125 Payload, 1st
paragraph
EMC-77 E 119 7.1.2 Identifier fields in Policy Summary object are Define them.
not defined
Page 103 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 120 6.6.3 DeleteThe statement << the sending endpoint
126 Payload, Lastwould expect in inbound ESP_Header >>
paragraph should be << the sending endpoint expects
in inbound ESP_Header >>
McDATA-242 E 120 Name Length Name Length s/b Hash Length
IBM - Penokie- E 121 6.7.1 The statement << In the case both parties
127 Authenticatio send an IKE_SA_Init at the same time, >>
n Transaction should be << If both parties send an
and SA IKE_SA_Init at the same time, then >>
Management
Transaction,
2nd
paragraph
IBM - Penokie- E 122 6.7.2 IKEv2- The statement << We refer to such a
128 AUTH protocol with the name IKEv2-AUTH. >>
Protocol, 1st should be << This standard refers to this
paragraph protocol as IKEv2-AUTH. >>
McDATA-245 E 122 Switch Entry add period to the end of sentence.
McDATA-246 E 122 Table 108 This note should be changed to - The Name
shall be either a Node_Name or a Wildcard.
IBM - Penokie- E 123 6.7.2 IKEv2- ###################################
129 AUTH
Protocol, Last
paragraph
McDATA-247 E 123 many places The if ___ then sentences in this clause
should be If ____, then
ENDL-103 E 124 6.8.1 Use of OR or
Retransmissi
on Timers,
1st p after
note 20, s 1
IBM - Penokie- E 124 6.8.1 Use of The statement << All messages in IKE exist
130 Retransmissi in pairs: a request and a response. >>
on Timers, should be << All messages in IKE exist in
1st pairs(i.e., a request and a response). >>
paragraph
IBM - Penokie- E 124 6.8.1 Use of The statement <<requests and responses 'in
131 Retransmissi flight' at any given moment. >> should be <<
on Timers, requests and responses in flight at any given
1st moment. >>
paragraph
Page 104 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 124 6.8.1 Use of The statement << IKE is a reliable protocol,
133 Retransmissi in the sense that the SA_Initiator shall
on Timers, retransmit >> should be << IKE is a reliable
1st protocol, because the SA_Initiator shall
paragraph retransmit >>
after note 20
IBM - Penokie- E 124 6.8.1 Use of The statement << (at the IKE level) >>
132 Retransmissi should be << ,at the IKE level, >> in all four
on Timers, cases.
2nd
paragraph
ENDL-102 E 124 6.8.1 Use of If note 20 is correct, how much of the Review the first to paragraphs of
Retransmissi preceding two paragraphs is incorrect. 6.8.1 and make them conform to
on Timers, note 20.
note 20
ENDL-097 E 124 6.8.1 Use of exist occur
Retransmissi
on Timers, p
1, s 1
ENDL-099 E 124 6.8.1 Use of 'in flight' in transit [note no quote marks]
Retransmissi
on Timers, p
1, s 3
ENDL-100 E 124 6.8.1 Use of moment time
Retransmissi
on Timers, p
1, s 3
ENDL-098 E 124 6.8.1 Use of Security Association [twice] SA
Retransmissi
on Timers, p
1, s 3&4
ENDL-101 E 124 6.8.1 Use of 'But' adds no value. Delete 'But'.
Retransmissi
on Timers, p
1, s 4
McDATA-251 E 124 7.1.3 Switch Memebership List Ordering move to the front and do a global
Requirements should be at the beginning of replacement of these ordering
this clause - not the end. requirements.
McDATA-250 E 124 Auth Authentication Tolerance should be before
Tolerance the Authentication Required paragraph.
Page 105 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 125 6.8.2 Use of ###################################
134 Sequence
Numbers for
Message_IDs
, 2nd
paragraph
IBM - Penokie- E 125 6.8.2 Use of ###################################
135 Sequence
Numbers for
Message_IDs
, 2nd
paragraph
IBM - Penokie- E 125 6.8.2 Use of The statement << Note that Message_IDs
136 Sequence are cryptographically protected >> should be
Numbers for << Message_IDs are cryptographically
Message_IDs protected >>
, 4th
paragraph
ENDL-104 E 125 6.8.2 Use of which is zero that is zero
Sequence
Numbers for
Message_IDs
, p 2, s 1
IBM - Penokie- E 125 6.8.3 The statement << For simplicity, an IKE
137 Overlapping implementation shall process requests >>
Requests, 1st should be << An IKE implementation shall
paragraph process requests >>
IBM - Penokie- E 125 6.8.4 State The statement << an endpoint crash, >>
138 Synchronizati should be << an endpoint xxx failure >>
on and unless you want to define the term << crash
Connection >> this needs to be changed.
Timeouts, 1st
paragraph
IBM - Penokie- E 125 6.8.4 State ###################################
139 Synchronizati
on and
Connection
Timeouts, 1st
paragraph
Page 106 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 125 6.8.4 State The statement << (at the IKE level) >>
140 Synchronizati should be << ,at the IKE level, >> in all four
on and cases.
Connection
Timeouts,
2nd
paragraph
IBM - Penokie- E 125 6.8.4 State The statement << IKE_Informational
141 Synchronizati message that (like all IKE requests) requires
on and an acknowledgment. >> should be <<
Connection IKE_Informational message that requires an
Timeouts, acknowledgment. >>
2nd
paragraph
ENDL-105 E 125 6.8.4 State forget discard
Synchronizati
on and
Connection
Timeouts, p
1, s 1
ENDL-106 E 125 6.8.4 State time. This is the anticipated behavior in the time (e.g., as the result of a
Synchronizati event of an endpoint crash and restart system failure or restart)
on and
Connection
Timeouts, p
1, s 1
ENDL-108 E 125 6.8.4 State 'network' is not appropriate to Fibre Delete 'network'.
Synchronizati Channel.
on and
Connection
Timeouts, p
1, s 2
ENDL-107 E 125 6.8.4 State This sentence needs restructuring. Delete 'It is important' and change
Synchronizati 'that the other endpoint detect' to
on and 'the other endpoint should detect'.
Connection
Timeouts, p
1, s 3
ENDL-109 E 125 6.8.4 State 'and having them fall into a black hole' is not Delete the cited text.
Synchronizati appropriate for a T11 standard.
on and
Connection
Timeouts, p
1, s 3
Page 107 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-111 E 125 6.8.4 State '(like all IKE requests)' is unnecessary. Delete the cited text.
Synchronizati
on and
Connection
Timeouts, p
2, 3rd from
last s in p
ENDL-110 E 125 6.8.4 State 'Since IKE is designed to operate in spite of Delete the cited text.
Synchronizati Denial of Service (DoS) attacks from the
on and network' is unnecessary.
Connection
Timeouts, p
2, s 1
ENDL-112 E 126 6.8.4 State covered in this specification defined in this standard
Synchronizati
on and
Connection
Timeouts, 1st
p on pg, s 1
ENDL-113 E 126 6.8.4 State different environments may require different different environments may have
Synchronizati rules different requirements
on and
Connection
Timeouts, 1st
p on pg, s 2
ENDL-114 E 126 6.8.4 State it is essential to confirm liveness of the other steps should be taken to confirm
Synchronizati endpoint to avoid black holes access to the other endpoint
on and
Connection
Timeouts, 1st
p on pg, s 3
ENDL-115 E 126 6.8.4 State needs to perform a liveness check in order should confirm access to the other
Synchronizati to prevent sending messages to a dead endpoint
on and peer
Connection
Timeouts, 1st
p on pg, s 4
Page 108 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-116 E 126 6.8.4 State liveness the accessibility
Synchronizati
on and
Connection
Timeouts, 1st
p on pg, s 5
ENDL-117 E 126 6.8.4 State an attacker could respond it is possible for an attacker to
Synchronizati respond
on and
Connection
Timeouts,
2nd p on pg,
IBM - Penokie- E 126 6.8.4 State The statement << not covered in this
142 Synchronizati specification because they >> should be <<
on and not covered in this standard because they
Connection >>
Timeouts,
3nd
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
143 Synchronizati
on and
Connection
Timeouts, 3rd
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
144 Synchronizati
on and
Connection
Timeouts, 3rd
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
145 Synchronizati
on and
Connection
Timeouts, 3rd
paragraph
Page 109 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 126 6.8.4 State The statement << Note that this places
146 Synchronizati requirements on the failure modes of an IKE
on and endpoint. >> should be << This places
Connection requirements on the failure modes of an IKE
Timeouts, 3rd endpoint. >>
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
147 Synchronizati
on and
Connection
Timeouts, 4th
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
148 Synchronizati
on and
Connection
Timeouts, 4th
paragraph
IBM - Penokie- E 126 6.8.4 State ###################################
149 Synchronizati
on and
Connection
Timeouts, 5th
paragraph
IBM - Penokie- E 126 6.8.5 Cookies ###################################
150 and Anti-
Clogging
Protection,
2nd
paragraph
McDATA-253 E 126 Authenticatio The last sentence s/b s/b by setting the
n required Security Bit in the FLOGI LS_ACC (see FC-
FS) to one.
McDATA-254 E 126 Common Fabric Services s/b Generic Services Do global replace
Transport
Access
Page 110 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 127 6.8.6 ###################################
151 Cryptographi
c Algorithms
Negotiation,
1st
paragraph
after note 22
ENDL-118 E 127 6.8.6 which may be that may be
Cryptographi
c Algorithms
Negotiation,
2nd p after
note 22, last
s in p
IBM - Penokie- E 127 6.8.6 The statement << shall contain exactly one
152 Cryptographi Transform >> should be << shall contain
c Algorithms one Transform >>.
Negotiation,
item b)
IBM - Penokie- E 127 6.8.6 ###################################
153 Cryptographi
c Algorithms
Negotiation,
item b)
ENDL-119 E 127 6.8.6 could trick may trick
Cryptographi
c Algorithms
Negotiation,
last p in
subclause,
last s in p
ENDL-121 E 127 6.8.7 which expire that expire
Rekeying, p
1, last s in p
ENDL-120 E 127 6.8.7 which should only that should only
Rekeying, p
1, s 1
IBM - Penokie- E 128 6.8.7 The statement << How, then, is the
159 Rekeying, SA_Responder to know when it is OK to
10th send on the newly created SA? >> needs to
paragraph be deleted as it does not belong in a
standard.
Page 111 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 128 6.8.7 The statement << From a technical
160 Rekeying, correctness and interoperability perspective,
11th the SA_Responder may begin sending >>
paragraph should be << The SA_Responder may begin
sending >>
IBM - Penokie- E 128 6.8.7 The statement << however, this could result
161 Rekeying, in packets unnecessarily >> should be <<
11th however, this may result in packets
paragraph unnecessarily >>
ENDL-122 E 128 6.8.7 (see section 6.8.14 below) (see 6.8.14)
Rekeying, 1st
p on pg, s 1
ENDL-124 E 128 6.8.7 'From a technical correctness and Delete the cited text.
Rekeying, interoperability perspective,' is meaningless.
2nd p above
1,2 list, s 1
ENDL-125 E 128 6.8.7 could result may result
Rekeying,
2nd p above
1,2 list, s 2
ENDL-126 E 128 6.8.7 dropped, so an implementation may want to dropped. To avoid dropping
Rekeying, defer such sending. packets, the sending of packets
2nd p above may be deferred until the
1,2 list, s 2 IKE_Create_Child_SA response is
received.
IBM - Penokie- E 128 6.8.7 The statement << equivalent SA (see
154 Rekeying, section 6.8.14 below), and when the new
3rd one is >> should be << (see 6.8.14), and
paragraph when the new one is >>
ENDL-123 E 128 6.8.7 (which results in redundant SAs) resulting in redundant SAs
Rekeying, 4th
p on pg, last
s in p
IBM - Penokie- E 128 6.8.7 The statement << initiate a rekeying at the
155 Rekeying, 6th same time (which results in redundant SAs).
paragraph >> should be << initiate a rekeying at the
same time, which results in redundant SAs.
>>
IBM - Penokie- E 128 6.8.7 The statement << Note that parallel SAs
156 Rekeying, 8th with the same Traffic Selectors between
paragraph common >> should be << Parallel SAs with
the same Traffic Selectors between
common >>
Page 112 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 128 6.8.7 ###################################
157 Rekeying, 9th
paragraph
ENDL-127 E 128 6.8.7 This list does not look like an ordered list. Change to a,b list.
Rekeying,
bottom of pg,
1,2 list
IBM - Penokie- E 128 6.8.7 This list looks like it should be an a,b list as
162 Rekeying, it doesn't appear to be an ordered list.
The 1,2 list
IBM - Penokie- E 129 6.8.8 Traffic The statement << When no SA exists yet it
163 Selector is the task of IKE to create it. >> should be
Negotiation, << When no SA exists it is the task of IKE to
1st create it. >>
paragraph
IBM - Penokie- E 129 6.8.8 Traffic The statement << system's SPD is outside
164 Selector the scope of this document, though >>
Negotiation, should be << system's SPD is outside the
1st scope of this standard, though >>
paragraph
IBM - Penokie- E 129 6.8.8 Traffic The statement << This could happen when
165 Selector the configuration >> should be << This may
Negotiation, happen when the configuration >>
4th
paragraph
IBM - Penokie- E 129 6.8.8 Traffic The statement << Since the two endpoints
166 Selector may be configured by different people, the
Negotiation, incompatibility >> should be << Since the
4th two endpoints may be configured differently,
paragraph the incompatibility >>
IBM - Penokie- E 129 6.8.8 Traffic ###################################
167 Selector
Negotiation,
4th
paragraph
IBM - Penokie- E 129 6.8.8 Traffic ###################################
168 Selector
Negotiation,
5th
paragraph
Page 113 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 129 6.8.8 Traffic ###################################
169 Selector
Negotiation,
6th
paragraph
IBM - Penokie- E 129 6.8.8 Traffic ###################################
170 Selector
Negotiation,
9th
paragraph
ENDL-128 E 129 6.8.8 Traffic could happen may happen
Selector
Negotiation,
p 4, s 2
McDATA-256 E 129 Object Name Object Name s/b Switch Node_Name
IBM - Penokie- E 130 6.8.10 Reuse The statement << of the two endpoints
174 of Diffie- cannot reconstruct the keys used to protect
Hellman the >> should be << of the two endpoints is
Exponential, not able to reconstruct the keys used to
1st protect the >>
paragraph
IBM - Penokie- E 130 6.8.10 Reuse The statement << generator that could be
175 of Diffie- used to >> should be << generator that may
Hellman be used to >>
Exponential,
2nd
paragraph
IBM - Penokie- E 130 6.8.10 Reuse The statement << An endpoint could select
176 of Diffie- a new exponential only periodically though
Hellman this could result in less-than-perfect >>
Exponential, should be << An endpoint may select a new
3rd exponential only periodically though this may
paragraph result in less-than-perfect >>
IBM - Penokie- E 130 6.8.10 Reuse The statement << Or it could keep track of
177 of Diffie- which exponential >> should be << Or it may
Hellman keep track of which exponential >>
Exponential,
3rd
paragraph
Page 114 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 130 6.8.10 Reuse The statement << This would allow the
178 of Diffie- exponential to be reused without >> should
Hellman be << This allows the exponential to be
Exponential, reused without >>
3rd
paragraph
ENDL-130 E 130 6.8.10 Reuse cannot reconstruct is unable to reconstruct
of Diffie-
Hellman
Exponential,
p 1, s 2
ENDL-131 E 130 6.8.10 Reuse This paragraph is wordy, is worded to use Replace the paragraph with: 'To
of Diffie- 'but' when it means 'and', and uses the word achieve perfect forward secrecy,
Hellman 'could'. each endpoint shall include in the
Exponential, actions taken when a connection
p2 is closed discarding: a) the keys
used by the connection (e.g., the
secrets used in the Diffie-Hellman
calculation); and b) any
information that could be used to
recompute those keys (e.g., the
state of the random number
generator).
ENDL-132 E 130 6.8.10 Reuse could select may select
of Diffie-
Hellman
Exponential,
p 3, s 3
ENDL-133 E 130 6.8.10 Reuse could result may result
of Diffie-
Hellman
Exponential,
p 3, s 3
ENDL-134 E 130 6.8.10 Reuse Or it could keep track Alternatively, it may keep track
of Diffie-
Hellman
Exponential,
p 3, s 4
Page 115 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 130 6.8.8 Traffic ###################################
171 Selector
Negotiation,
Last
paragraph
IBM - Penokie- E 130 6.8.8 Traffic The statement << TSr that are acceptable to
172 Selector him. If >> should be << TSr that are
Negotiation, acceptable to it. If >>
Last
paragraph
ENDL-129 E 130 6.8.9 care must be taken to ensure that the latter the latter shall not be allowed to
Nonces, last use does not compromise the former compromise the former
s in
subclause
McDATA-257 E 130 Number of Switch Port_Name field description is Add Switch Port_Name field
Allowed missing. description.
Switches
IBM - Penokie- E 131 6.8.11 The statement << negotiated: an encryption
179 Generating algorithm, an integrity protection algorithm, a
Keying Diffie-Hellman group, and a pseudo-random
Material, 1st function (prf). >> should be made into an
paragraph a,b,c list.
IBM - Penokie- E 131 6.8.11 The statement << algorithm, we use the prf
180 Generating iteratively. We use the terminology prf+ >>
Keying should be << algorithm, this standard uses
Material, 3rd the prf iteratively. This standard uses the
paragraph terminology prf+ >>
IBM - Penokie- E 131 6.8.12 The statement << he shared keys are
181 Generating computed as follows. >> should be << he
Keying shared keys are computed as defined in this
Material for subclause. >>
the IKE_SA,
1st
paragraph
IBM - Penokie- E 131 6.8.12 The statement << SKEYSEED is used to
182 Generating calculate five other secrets: >> and the list of
Keying secrets should be made into an a,b,c list.
Material for
the IKE_SA,
1st
paragraph
Page 116 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 131 6.8.12 The statement << used for encrypting (and
183 Generating of course decrypting) >> should be << used
Keying for encrypting and decrypting >>
Material for
the IKE_SA,
1st
paragraph
ENDL-135 E 131 6.8.12 which are used that are used
Generating
Keying
Material for
the IKE_SA,
p 1, last s in
p
McDATA-259 E 131 Attribute This paragraph should go after Basic IP
Object Management Attributes Format
Pointer
McDATA-258 E 131 Object Name Clarify if the intent is to allow any special Define characters in document
characters other than letters and numbers? before encountering
Should identify what characters are "Alphanumerical Name"
supported. Should it be the same set of terminology here.
characters supported by Zone Set Names?
Do likewise throughout document for any
other Alphanumeric Name .
ENDL-136 E 132 6.8.12 which is specified that is specified
Generating
Keying
Material for
the IKE_SA,
2nd p on pg,
2nd to last s
in p
IBM - Penokie- E 132 6.8.12 ###################################
184 Generating
Keying
Material for
the IKE_SA,
2nd to last
paragraph
Page 117 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 132 6.8.13 The statement << Note that all of the IKE
188 Authenticatio Payloads are included under >> should be
n of the << All of the IKE Payloads are included
IKE_SA, 1st under >>
paragraph
after note 23
IBM - Penokie- E 132 6.8.13 The statement << not defined in this
189 Authenticatio document. >> should be << not defined in
n of the this standard. >>
IKE_SA, 1st
paragraph
after note 23
IBM - Penokie- E 132 6.8.13 ###################################
190 Authenticatio
n of the
IKE_SA, 1st
paragraph
after note 23
IBM - Penokie- E 132 6.8.13 The statement << The peers are
185 Authenticatio authenticated by having each sign (or MAC
n of the using a shared secret as the key) a block of
IKE_SA, 2nd data. >> should be << The peers are
paragraph authenticated by having each sign, or MAC
using a shared secret as the key, a block of
data. >>
IBM - Penokie- E 132 6.8.13 ###################################
186 Authenticatio
n of the
IKE_SA, 2nd
paragraph
IBM - Penokie- E 132 6.8.13 The statement << Note that neither the
187 Authenticatio nonce Ni nor the value >> should be <<
n of the Neither the nonce Ni nor the value >>
IKE_SA, 2nd
paragraph
IBM - Penokie- E 132 6.8.13 ###################################
191 Authenticatio
n of the
IKE_SA, 2nd
paragraph
after note 23
Page 118 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 132 6.8.13 The statement << It is commonly the case
192 Authenticatio (but it is not required) that if a shared >>
n of the should be << It is common, but not required,
IKE_SA, 2nd that if a shared >>
paragraph
after note 23
IBM - Penokie- E 132 6.8.13 The statement << Note that it is a common
193 Authenticatio but typically insecure >> should be << It is a
n of the common but typically insecure >>
IKE_SA, 2nd
paragraph
after note 23
ENDL-139 E 133 6.8.13 This construction is used because it is Delete the cited sentence.
Authenticatio anticipated that people will do it anyway.'
n of the adds not value to the standard.
IKE_SA, 2nd
p on pg, 5
ENDL-140 E 133 6.8.13 be of have
Authenticatio
n of the
IKE_SA, 2nd
p on pg, last
s in p
ENDL-137 E 133 6.8.13 Is 'which could not be used as a password If possible delete the cited text.
Authenticatio equivalent for protocols other than IKEv2' Otherwise, 'could not be used' s/b
n of the necessary? FC-SP describes and Fibre 'was not allowed to be used'.
IKE_SA, 2nd Channel uses only IKEv2.
p on pg, s 3
ENDL-138 E 133 6.8.13 'As noted above,' adds no value. Delete the cited text.
Authenticatio
n of the
IKE_SA, 2nd
p on pg, s 4
IBM - Penokie- E 133 6.8.13 The statement << which could not be used
194 Authenticatio as a password equivalent for >> should be
n of the << which may not be used as a password
IKE_SA, last equivalent for >>
paragraph
IBM - Penokie- E 133 6.8.13 The statement << As noted above, deriving
195 Authenticatio the shared secret from a password >>
n of the should be << Deriving the shared secret
IKE_SA, last from a password >>
paragraph
Page 119 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 133 6.8.13 The statement << This construction is used
196 Authenticatio because it is anticipated that people will do it
n of the anyway. >> should be deleted as the will
IKE_SA, last has to be changed to a shall and then the
paragraph uselessness of the statement become
obvious.
IBM - Penokie- E 133 6.8.13 The statement << may accept other forms,
197 Authenticatio like hex encoding. >> should be << may
n of the accept other forms (e.g., hex encoding). >>
IKE_SA, last
paragraph
IBM - Penokie- E 133 6.8.14 ###################################
198 Generating
Keying
Material for
Child_SAs,
4th
paragraph
(excluding
equations)
IBM - Penokie- E 133 6.8.14 The statement << SAs exist in pairs (one in
199 Generating each direction). >> should be << SAs exist in
Keying pairs, one in each direction. >>
Material for
Child_SAs,
5th
paragraph
(excluding
equations)
IBM - Penokie- E 133 6.8.14 The statement << expanded KEYMAT in the
200 Generating following order: >> should be << expanded
Keying KEYMAT as follows: >>
Material for
Child_SAs,
6th
paragraph
(excluding
equations)
IBM - Penokie- E 133 6.8.14 The statement << going in the reverse
201 Generating direction. >> should be << going in the
Keying reverse direction; and >>
Material for
Child_SAs,
Item 1
Page 120 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 133 6.8.15 The statement << IKE_SA (see section
202 Rekeying 6.8.7). >> should be << IKE_SA (see 6.8.7).
IKE_SAs >>
using the
IKE_Create_
Child_SA
Protocol, 1st
paragraph
ENDL-141 E 133 6.8.15 (see section 6.8.7) (see 6.8.7)
Rekeying
IKE_SAs
using the
IKE_Create_
Child_SA
Protocol, p 1,
s1
McDATA-260 E 133 Table 129 This table needs to be updated with WKP The fields should be WKP Acces
rows instead of GS fields. Flags, Well Known Protocol
Number, Well Known Port
Number. These last two fields
need to be defined so that we can
check the examples.
ENDL-142 E 134 6.8.15 Is [g^ir (new)] an optional prf () parameter? (g^ir (new))
Rekeying
IKE_SAs
using the
IKE_Create_
Child_SA
Protocol, 1st
line on pg
IBM - Penokie- E 134 6.8.15 ###################################
203 Rekeying
IKE_SAs
using the
IKE_Create_
Child_SA
Protocol, 2nd
to last
paragraph
IBM - Penokie- E 134 6.8.16 ###################################
204 IKE_Informati
onal
Messages
outside of an
IKE_SA
Page 121 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-143 E 134 6.8.16 could be because may be because
IKE_Informati
onal
Messages
outside of an
IKE_SA, p 1,
s1
ENDL-144 E 134 6.8.16 'recently crashed and' adds nothing of value. Delete the cited text.
IKE_Informati
onal
Messages
outside of an
IKE_SA, p 1,
s1
IBM - Penokie- E 134 6.8.17 Error ###################################
205 Handling,
2nd
paragraph
IBM - Penokie- E 134 6.8.17 Error The statement << an IKE_SA known to it
206 Handling, 3rd (and not a request to start one), it may be
paragraph the result of a recent crash of the node. >>
should be << an IKE_SA known to it, and
not a request to start one, it may be the
result of a recent failure of the node. >>
IBM - Penokie- E 134 6.8.17 Error The statement << and should initiate a
207 Handling, 4th liveness test for any such IKE_SA. An >>
paragraph should me << and should initiate a test to
determine if there is any such IKE_SA. An
>>
ENDL-145 E 134 6.8.17 Error IP address entity
Handling, p
4, s 3
ENDL-146 E 134 6.8.17 Error a liveness an accessibility
Handling, p
4, s 3
McDATA-262 E 134 7.1.7 allow to extend this s/b extend the
IBM - Penokie- E 135 6.8.18 The statement << IKEv2 may interoperate,
208 Conformance there are 'shall' support requirements in
Requirement addition to those listed elsewhere. >> should
s, 1st be << IKEv2 may interoperate, there are
paragraph requirements in addition to those listed
elsewhere in this standard. >>
Page 122 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 135 6.8.18 The statement << This document has been
209 Conformance derived >> should be << This standard has
Requirement been derived >>
s, 2ns
paragraph
IBM - Penokie- E 135 6.8.18 The statement << all payload types (if only
210 Conformance to skip over them) and to ignore >> should
Requirement be << all payload types, if only to skip over
s, 3rd them, and to ignore >>
paragraph
IBM - Penokie- E 135 6.8.18 The statement << establishing two SAs (one
211 Conformance for IKE, one for ESP_HEader or
Requirement CT_Authentication). >> should be <<
s, 4th establishing two SAs (i.e., one for IKE, one
paragraph for ESP_HEader or CT_Authentication). >>
IBM - Penokie- E 135 6.8.18 The statement << When an SA expires
212 Conformance (based on locally configured values of either
Requirement lifetime or bytes passed), >> should be <<
s, 4th When an SA expires, based on locally
paragraph configured values of either lifetime or bytes
passed, >>
IBM - Penokie- E 135 6.8.18 The statement << or it may delete (close)
213 Conformance the old SA and >> should be << or it may
Requirement delete (i.e., close) the old SA and >>
s, 4th
paragraph
IBM - Penokie- E 135 6.8.18 The statement << RSA keys of size 1024 or
214 Conformance 2048 bits, >> should be << RSA keys of size
Requirement 1 024 or 2 048 bits, >>
s, Last
paragraph
ENDL-147 E 135 6.8.18 IKEv2 this standard
Conformance
Requirement
s, p 1, s 1
ENDL-148 E 135 6.8.18 What the heck does 'there are 'shall' support Clarify
Conformance requirements in addition to those listed
Requirement elsewhere' mean?
s, p 1, s 1
ENDL-149 E 135 6.8.18 'Of course, IKEv2 is a security protocol, and Delete the cited sentence.
Conformance one of its major functions is to only allow
Requirement authorized parties to successfully complete
s, p 1, s 2 establishment of SAs.' is unnecessary.
Page 123 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-150 E 135 6.8.18 'So' say nothing. Delete 'So'.
Conformance
Requirement
s, p 1, s 3
McDATA-267 E 139 second Device Kth Port s/b Device's Kth Port
paragraph
IBM - Penokie- E 140 7.1.3 Switch There is no definition of what a a wildcard
215 Membership entry or negated wildcard is. This needs to
List Object, be fixed.
1st
paragraph
ENDL-151 E 141 7.1.3 Switch Are bits 31 .. 16 and 15 .. 0 optional '[31 .. 16]' s/b '31 .. 16' and '[15 ..
Membership parameters? 0]' s/b '15 .. 0'. Alternatively,
List Object, surround all other uses of the ..
table 107 notation with square brackets.
footnote a
IBM - Penokie- E 142 7.1.3 Switch There is no definition of what a a wildcard
216 Membership is. This needs to be fixed.
List Object,
table 108
IBM - Penokie- E 143 7.1.3 Switch ###################################
217 Membership
List Object,
Insistent
Domain_ID
description
IBM - Penokie- E 143 7.1.3 Switch This note should either go before table 111
219 Membership or be put as a footnote within table 111 <<
List Object, Note 25 - There is no difference between an
NOTE 25 Autonomous Switch and a Client Switch if
FC-SP Zoning is not used. >>
IBM - Penokie- E 143 7.1.3 Switch The statement << The Switch shall operate
218 Membership as an Autonomous Switch. an Autonomous
List Object, Switch >> should be << The Switch shall
Table 111 operate as an Autonomous Switch. An
row 2 Autonomous Switch >>.
McDATA-273 E 145 Attribute This paragraph should go after the Basic
Object Device Attributes paragraph.
Pointer
McDATA-272 E 145 Table 113 This table note should be moved into the
Name field description. One of the "or"s
should be eliminated.
McDATA-274 E 146 7.3.4.1 managing application s/b management
application
Page 124 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-152 E 147 7.1.4 Device Service/Subserver [twice] Service and Subserver
Membership
List Object,
Allow/Deny, p
1, s 1&2
ENDL-154 E 147 7.1.4 Device a read/write capability for both reading and writing
Membership
List Object,
Read Only, p
1, s 1
ENDL-153 E 147 7.1.4 Device Service/Subserver [twice] Service and Subserver
Membership
List Object,
Read Only, p
1, s 1&2
ENDL-155 E 147 7.1.4 Device a read only capability for reading only
Membership
List Object,
Read Only, p
1, s 2
ENDL-156 E 147 7.1.4 Device GS_Type/GS_Subtype [twice] GS_Type and GS_Subtype
Membership
List Object,
Read Only, p
2, s 1&2
IBM - Penokie- E 148 7.1.4 Device The footnote << a Example 3 is the
220 Membership minimum allowed >> would change to << d
List Object, the minimum allowed >> and the a in
Table 119 column would change to a d.
McDATA-283 E 151 field The way fields are described is inconsistent Decide on one format and
descriptions throughout the document. Some times it standardize this throughout the
starts with "Shall be set" other time document.
"indicates".
McDATA-281 E 151 Integrity Integrity Protection Source s/b Integrity
Protection Protection Source Name
Source
McDATA-282 E 151 Table 153 Wrong title? Integrity Protection Tag?
title
ENDL-158 E 153 7.1.6 IP a read/write capability for both reading and writing
Management
List Object,
Read Only, p
1, s 1
Page 125 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-159 E 153 7.1.6 IP a read only capability for reading only
Management
List Object,
Read Only, p
1, s 2
ENDL-160 E 153 7.1.6 IP Protocol Number / Port Number Protocol Number and Port Number
Management combination
List Object,
Read Only, p
2, last s in p
IBM - Penokie- E 153 7.1.6 IP There should be a footnote reference to this
221 Management << Example 1 is the Well Known Protocols
List Object, Access >>. It should be << a The Well
Table 129 Known Protocols Access... > with the a
reference being placed in the heading of <<
example 1 >> column.
IBM - Penokie- E 153 7.1.6 IP There should be a footnote reference to this
222 Management << Example 2 is the Well Known Protocols
List Object, Access >>. It should be << b The Well
Table 129 Known Protocols Access... > with the a
reference being placed in the heading of <<
example 2 >> column.
IBM - Penokie- E 153 7.1.6 IP There should be a footnote reference to this
223 Management << Example 3 is the Well Known Protocols
List Object, Access >>. It should be << c The Well
Table 129 Known Protocols Access... > with the a
reference being placed in the heading of <<
example 3 >> column.
IBM - Penokie- E 153 7.1.6 IP There should be a footnote reference to this
224 Management << Example 4 is the Well Known Protocols
List Object, Access >>. It should be << d The Well
Table 129 Known Protocols Access... > with the a
reference being placed in the heading of <<
example 4 >> column.
ENDL-157 E 153 7.1.6 IP TCP/UDP Port [twice] TCP or UDP port
Management
List Object,
Well Known
Port Number
Wildcard, p
1, s 1&2
Brocade-1 E 153 7.3.6.2 "an UFC SW_ILS" s/b "a UFC SW_ILS" in Make correction on pages 153,
all cases. 157 (2), 158, 159, and 172.
Page 126 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 156 7.1.8 Names The 1,2,3 list looks like it should be an a,b,c
225 used to list as there appears to be no ordering
define required.
Policies,
1,2,3 list
ENDL-162 E 159 7.2.4 In-Band Why is the second level for list entry 2) an Change the I,II,III list to an A,B,C
Management A,B,C list, but the second level for list entry list.
Access to a 3) is a I,II,III list.
Switch, 1,2,3
list
ENDL-163 E 159 7.2.4 In-Band Wildcard flag Wildcard bit
Management
Access to a
Switch, 1,2,3
list, entry 3 II
ENDL-164 E 159 7.2.4 In-Band Wildcard flags Wildcard bits
Management
Access to a
Switch, 1,2,3
list, entry 3 III
IBM - Penokie- E 159 7.2.4 In-Band I assume this is a second level ordered list.
226 Management If so then the connector should be an <<
Access to a and >> not an << or >>. If this is not an
Switch, I, II, ordered list then the I, II, III needs to be
III list change to A, B, C.
ENDL-161 E 159 7.2.4 In-Band Allow/Deny flag [9 times] Allow/Deny bit
Management
Access to a
Switch, list
entry 3
(global)
IBM - Penokie- E 160 7.2.4 In-Band The statement << If any of the conditions
227 Management listed in A, B or C do not apply, >> is not
Access to a correct as there is no A, B, or C. This needs
Switch, Item to be fixed.
IV
Page 127 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-166 E 160 7.2.5 IP Why is the second level for list entry 2) an Change the I,II,III list to an A,B,C
Management A,B,C list, but the second level for list entry list.
Access to a 3) is a I,II,III list.
Switch, 1,2,3
list
ENDL-167 E 160 7.2.5 IP Wildcard flag Wildcard bit
Management
Access to a
Switch, 1,2,3
list, entry 3 II
ENDL-168 E 160 7.2.5 IP Wildcard flags Wildcard bits
Management
Access to a
Switch, 1,2,3
list, entry 3 III
IBM - Penokie- E 160 7.2.5 IP I assume this is a second level ordered list.
228 Management If so then the connector should be an <<
Access to a and >> not an << or >>. If this is not an
Switch, I, II, ordered list then the I, II, III needs to be
III list change to A, B, C.
ENDL-165 E 160 7.2.5 IP Allow/Deny flag [9 times] Allow/Deny bit
Management
Access to a
Switch, list
entry 3
(global)
IBM - Penokie- E 161 7.2.5 IP The statement << If any of the conditions
229 Management listed in A, B or C do not apply, >> is not
Access to a correct as there is no A, B, or C. This needs
Switch, Item to be fixed.
IV
IBM - Penokie- E 161 7.2.6 Direct There should be an << and >> at the end of
230 Management item 1).
Access to a
Switch, 1,2
list
IBM - Penokie- E 164 7.3.2 Fabric All the operation code names have quotes
233 Distribution around them. In all cases those quotes
should be removed as the only thing that
should be quoted are reason codes.
Page 128 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 164 7.3.2 Fabric The statement << operation code 'Activate
231 Distribution, Policy Summary' is shown >> should be <<
Paragraph operation code Activate Policy Summary is
above table shown >>
137
IBM - Penokie- E 164 7.3.2 Fabric The statement << Payload for Operation
232 Distribution, Code 'Activate Policy Summary' >> should
Table 137 be << Payload for Operation Code Activate
Policy Summary >>
McDATA-294 E 168 last sentence equal s/b equal, add comma
McDATA-295 E 168 last sentence in s/b to the next paragraph too.
McDATA-292 E 168 Table 188 ESS: Clarify how and when ESS is
The ESS protocol may not be very useful for intended to be used to support the
security protocols. ESS runs after FSPF management interface. If that was
because it uses Domain Controller frames. the intent…
This should be well after any security
protocol exchanges are completed. The
fabric wide activation protocol has its own
method to detect switches that are down
level. Including the info in the ESS will not
hurt but it probably is not needed.
McDATA-296 E 169 last sentence non s/b not do global search and replace.
of first
paragraph
IBM - Penokie- E 173 7.3.6.2 The statement << operation code 'Activate
234 Activate Policy Summary'. >> should be << operation
Policy code Activate Policy Summary. >>
Summary
(APS), 2nd
paragraph
IBM - Penokie- E 173 7.3.6.3 The statement << with operation code
235 Deactivate 'Deactivate Policy Summary'. >> should be
Policy << with operation code Deactivate Policy
Summary Summary. >>
(DPS), 2nd
paragraph
Page 129 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-169 E 176 7.3.6.5 Get the type of the List Object which name is the type of the List Object for
All Lists returned which name is returned
Names
(GALN), List
Object Type,
p 1, s 1
McDATA-301 E 177 8.2 fibre channel s/b Fibre Channel Capitalize globally.
IBM - Penokie- E 177 7.3.6.7 Add The statement << with operation code 'Add
236 Policy Object Policy Object'. >> should be << with
(APO), 2nd operation code Add Policy Object. >>
paragraph
McDATA-303 E 177 General 8 + entity s/b Entity ! Likewise capitalize these:
8.2 second Security Relationship, Entity Authentication,
paragraph Fabric Entity, Entity Authentication, E_Port
Entity, Nx_Port Entity, Abstract Services
IBM - Penokie- E 178 7.3.6.8 The statement << with operation code
237 Remove 'Remove Policy Object'. >> should be <<
Policy Object with operation code Remove Policy Object.
(RPO), 2nd >>
paragraph
McDATA-311 E 178 8.3 first Delete "here"
sentence
McDATA-310 E 178 c) Nx_Port with Nx_Port s/b Nx_Port to
Nx_Port
IBM - Penokie- E 179 7.3.6.9 The statement << with operation code
238 Remove All 'Remove All Non Active Policy Objects'. >>
Non Active should be << with operation code Remove
Policy All Non Active Policy Objects. >>
Objects
(RANA), 2nd
paragraph
IBM - Penokie- E 180 7.4.2 Check The TBD needs to be defined or the value
239 Policy removed.
Summary
(CPS), Table
173
IBM - Penokie- E 181 7.5.2.2 QSA The statement << Shall be set to
240 Request 00000002h. >> should be << Shall be set to
Sequence, 0000 0002h. >>
Revision
description
Page 130 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-323 E 181 8.5.2.2 Is this one long sentence? I'ts running on. Parse this into a couple of
sentences.
McDATA-325 E 181 8.5.2.3 a) Is this referring to an AUTH_Negotiate? Clarify
McDATA-327 E 181 8.5.2.4 suggest moving the words "to the entity
authentication state machine" following
"frame" later in the same sentence
McDATA-331 E 182 8.5.4.4 Where is the negotiate ELS buffer Add reference to FC FS.
conditions request defined?
ENDL-171 E 184 7.5.3.2 RFCN which is being that is being
Request
Sequence,
Addressing, p
1, s 2
IBM - Penokie- E 186 7.6.2.2 Get ###################################
241 Fabric
Enhanced
Zoning
Support
(GFEZ)
Additions
IBM - Penokie- E 188 7.6.3.1 The statement << by Server Switches,
242 Overview, 1st Autonomous Switches and Client Switches.
paragraph >> should be << by Server Switches,
Autonomous Switches, and Client Switches.
>>. There was a missing comma.
IBM - Penokie- E 189 7.6.3.3 The ###################################
243 Zoning
Check
Protocol, 2nd
paragraph
IBM - Penokie- E 190 7.6.3.4.2 All the operation request names have
246 Operation quotes around them. In all cases those
Request 'FC- quotes should be removed as the only thing
SP that should be quoted are reason codes.
Deactivate
Zone Set
Enhanced'
Page 131 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 190 7.6.3.4.2 The statement << Operation Request 'FC-
245 Operation SP Activate Zone Set Enhanced' >> should
Request 'FC- be << Operation Request FC-SP Activate
SP Zone Set Enhanced >>
Deactivate
Zone Set
Enhanced', In
the section
title, table
title, and 1st
paragraph
IBM - Penokie- E 193 7.6.5.1 The statement << some Switches, called
247 Overview, 1st Client Switches, to not >> should be <<
paragraph some Switches (i.e., Client Switches), to not
>>
IBM - Penokie- E 194 7.6.5.1 ###################################
248 Overview, 4th
paragraph
IBM - Penokie- E 194 7.6.5.2 Zone The statement << the requesting part of the
249 Information protocol, Server Switches shall implement
Request >> should be << the requesting part of the
(ZIR), 1st protocol and Server Switches shall
paragraph implement >>
ENDL-174 E 197 8.1 which may include that may include
{Combination
s of Security
Protocols}
Overview, 1st
list entry c
IBM - Penokie- E 197 8.1 Overview, The statement << the entities involved >>
252 1st should be << the entities involved: >>
paragraph
above 2nd
a,b,c list
IBM - Penokie- E 197 8.1 Overview, The statement << Identifier associated with
251 First item a) an FC_Port; >> should be << Identifier
associated with an FC_Port; or >>
IBM - Penokie- E 197 8.1 Overview, The statement << acceptable set of security
253 Last relationships is presumed to be based on a
paragraph security >> should be << acceptable set of
security relationships is based on a security
>>
Page 132 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 197 8.2 The statement << In the specification of
254 Terminology, entity authentication, the special >> should
1st be << In the description of entity
paragraph authentication within this clause, the special
>>
IBM - Penokie- E 198 8.2 The term << Specification perspective >>
256 Terminology, should be << Standards perspective >>
Figure 25
IBM - Penokie- E 198 8.2 ###################################
255 Terminology,
Last
paragraph
IBM - Penokie- E 198 8.3 Entity The statement << implementation of entity
257 authenticatio authentication is here specified by the
n model, 1st behavior of a set >> should be <<
paragraph implementation of entity authentication is
specified in this clause by the behavior of a
set >>
IBM - Penokie- E 198 8.3 Entity The statement << machine set specified
258 authenticatio here; however, an implementation >> should
n model, 1st be << machine set specified here. However,
paragraph an implementation >>
IBM - Penokie- E 198 8.3 Entity The statement << The state machine (NNA,
259 authenticatio see 8.8); >> should be << The state
n model, machine (NNA, see 8.8); and >>
a,b,c list item
c
IBM - Penokie- E 199 8.3 Entity The statement << Figure 26 informatively
260 authenticatio represents a model of entity >> should be
n model, 1st << Figure 26 represents a model of entity >>
paragraph
above figure
26
IBM - Penokie- E 199 8.3 Entity The text is this figure is the wrong font size,
261 authenticatio it should be 10 point.
n model,
Figure 26
IBM - Penokie- E 200 8.4.3 Nx_Port The statement << Nx_Port entity (including
262 entity to to a Generic Service) shall apply to any
Nx_Port communication >> should be << Nx_Port
entity, 1st entity, including to a Generic Service, shall
paragraph apply to any communication >>
Page 133 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 200 8.5.2.2 The statement << request shall cause the
263 Abandon authentication service to >> should be <<
authenticatio request shall cause the authentication
n request, 1st service to: >>. Missing colon.
paragraph
McDATA-360 E 204 8.1 Change 'NFA' to 'NNA'
IBM - Penokie- E 205 8.6.1 The statement << by selectively returning
264 Overview of errors to requests that would cause
NFA state transitions to states that require resources
machine, 2nd >> should be << by selectively returning
paragraph errors to requests that cause transitions to
states that require resources >>.
IBM - Penokie- E 205 8.6.1 The statement << scope of this standard;
265 Overview of however, subsequent to issuing such >>
NFA state should be << scope of this standard.
machine, 2nd However, subsequent to issuing such >>
paragraph
IBM - Penokie- E 205 8.6.1 ###################################
266 Overview of
NFA state
machine, 3rd
paragraph
McDATA-361 E 205 Annex A Add 04-010v6 to letter ballot comment Complete Annex A.
process for inclusion into Annex A.
Veritas-10 E 205 Annex A Complete or delete annex.
IBM - Penokie- E 206 8.6.1 The font in this figure needs to be 10 point.
267 Overview of
NFA state
machine,
Figure 27
IBM - Penokie- E 207 8.6.4.1 ###################################
268 All:NFA_S1
Page 134 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-3 E 207 B.1.2 The word "can" should almost always be In B.1.2 on page 207,
replaced with "may" or deleted. "can enable or assist" s/b "enables
or assists"
"can predict" s/b "may predict" or
"predicts".
In D.2.2 on page 221,
"which can have" s/b "that may
have"
"type can be" s/b "type may be"
In D.2.4 on page 222,
"set can be" s/b "set may be".
In D.2.5 on page 222,
"can use" s/b "uses"
In D.2.7.3 on page 224.
"switch can join" s/b "switch is
permitted to join"
In D.2.7.6 on page 225.
"changes can" s/b "changes may"
In D.2.8.1 on page 226
"can be" s/b "is"
In D.2.8.3 on page 229
"can download" s/b "downloads"
In D.2.8.4 on page 229
"so the receiving switches can get
the" s/b "so that the receiving
switches obtain [or receive]"
In D.2.8.6 on page 231
"type can be a string to specify"
s/b "type is a string that specifies".
In D.2.8.7 on page 232
"and can be used" s/b "and are
used"
Brocade-33 E 209 B.3.1 "When a packet is received with an invalid In D.3.7 on page 237
Make recommended change.
Code field, it is silently discarded." s/b Do a global search for the word
"When a packet is received with an invalid "silent" and make similar changes
Code field, it is ignored." in all cases. Modern electronics is
always silent, until the fan goes
on.
Brocade-14 E 209 B.3.1, Table Tables should be prefixed with the number Make recommended correction
A.1 of their annex. As an example, this should
be Table B.1. On page 227, Table A.8
should be numbered Table D.1
Page 135 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 210 8.7.1 The statement << returning errors to
269 Overview, requests that would cause transitions to
2nd states that >> should be << returning errors
paragraph to requests that cause transitions to states
that >>
IBM - Penokie- E 211 8.7.1 The statement << this standard; however,
270 Overview, subsequent to issuing such errors, >>
3rd should be << this standard. However,
paragraph subsequent to issuing such errors, >>
IBM - Penokie- E 211 8.7.1 ###################################
271 Overview, 4th
paragraph
IBM - Penokie- E 211 8.7.1 The font in this figure needs to be 10 point.
272 Overview,
Figure 28
IBM - Penokie- E 217 8.8.1 The statement << returning errors to
273 Overview, requests that would cause transitions to
2nd states >> should be << returning errors to
paragraph requests that cause transitions to states >>
IBM - Penokie- E 217 8.8.1 The statement << beyond the scope of this
274 Overview, standard; however, subsequent to issuing
2nd >> should be << beyond the scope of this
paragraph standard. However, subsequent to issuing
>>
IBM - Penokie- E 217 8.8.1 ###################################
275 Overview,
3rd
IBM - Penokie- E 218 paragraph
8.8.1 The font in this figure needs to be 10 point.
276 Overview,
Figure 29
McDATA-364 E 222 DCC switches ports s/b switch ports
IBM - Penokie- E 223 8.9.1 ###################################
277 Overview, 1st
paragraph
IBM - Penokie- E 223 8.9.1 The statement << Figure 30 shows how
278 Overview, 1st state P17 is exploded in sub-states. >>
paragraph should be << Figure 30 shows the states
within state P17. >>
IBM - Penokie- E 223 8.9.1 The font in this figure needs to be 10 point.
279 Overview,
Figure 30
Page 136 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
Brocade-5 E 223 D.2.6 "The security policy set can be either Make recommended correction
defined or active set. It has these attributes:"
appears to be ungrammatical. It should
probably say "The security policy set may be
either a defined or an active set. It has these
attributes:"
IBM - Penokie- E 224 8.10 Impact ###################################
280 on other
standards,
1st
paragraph
Brocade-10 E 224 D.2.7.3 "It cannot perform fabric-wide security Make recommended correction
management operations (e.g., security
policy changes, zone changes)." uses the
forbidden word. I suggest the text be
changed to read "A switch in such a state
does not have enough information to
perform fabric-wide security management
operations (e.g., security policy changes,
zone changes)."
Brocade-6 E 226 D.2.8.1 "Otherwise, the payload has to include the The sentence should be changed
certificate of the sender non-primary SCS, to read:
so the receiver "If the payload is not the result of a
can get the public key to verify the signature primary SCS download, the
of the payload data." is somewhat awkward payload includes the certificate of
and contains the forbidden word "can". the sender non-primary SCS to
allow the receiver to obtain the
public key to verify the signature of
the payload data."
IBM - Penokie- E 227 B.1.1 The statement << This standard define the
282 Objective of inclusion of a Diffie-Hellman (DH) key >>
this Annex, should be << This standard defines the
2nd inclusion of a Diffie-Hellman (DH) key >>
paragraph
after a,b,c list
IBM - Penokie- E 227 B.1.1 The statement << This method is discussed
283 Objective of first in this annex. >> should be << This
this Annex, method is discussed in B.x.x. >>
2nd
paragraph
after a,b,c list
Page 137 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 227 B.1.1 There needs to be a introduction to the a,b,c
281 Objective of list. Add in << The objects of this annex are
this Annex, as follows: >>
Before the
a,b,c list
IBM - Penokie- E 227 B.1.1 The statement << with RADIUS CHAP
284 Objective of authentication is also presented. >> should
this Annex, be << with RADIUS CHAP authentication is
Last discussed in B.x.x. >>
paragraph
ENDL-177 E 227 B.1.2 can predict is able to predict
Random
Number
Generator, 1s
p after a,b,c
list, s 3
IBM - Penokie- E 227 B.1.2 ###################################
286 Random
Number
Generator,
1st
paragraph
after a,b,c list
IBM - Penokie- E 227 B.1.2 ###################################
287 Random
Number
Generator,
1st
paragraph
after a,b,c list
ENDL-176 E 227 B.1.2 Unpredictability of these values is vital to the Unpredictability of these values is
Random security of the protocols that use them; while vital to the security of the protocols
Number this is obvious for the secret values, the that use them. This is obvious for
Generator, ability to predict (even partially) non-secret the secret values, however, the
1st s after values can enable or assist attacks based ability to predict, even partially,
a,b,c list on pre-computation. non-secret values opens
opportunities for attacks based on
pre-computation.
ENDL-175 E 227 B.1.2 [replace commas with semicolons]
Random
Number
Generator,
a,b,c list
Page 138 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 227 B.1.2 The item in the a,b,c list need to be
285 Random separated by semicolons not commas.
Number
Generator,
a,b,c list
IBM - Penokie- E 228 B.1.2 ###################################
288 Random
Number
Generator,
1st
paragraph
after a,b,c list
IBM - Penokie- E 228 B.2.1 The statement << a central authentication
289 Overview, 1st server is desirable. >> should be << a
paragraph central authentication server should be
used. >>
IBM - Penokie- E 228 B.2.1 ###################################
290 Overview, 1st
paragraph
IBM - Penokie- E 228 B.2.1 The statement << than in multiple devices;
291 Overview, improving scalability, management and
2nd security of >> should be << than in multiple
paragraph devices thereby improving scalability,
management and security of >>
IBM - Penokie- E 228 B.2.1 The statement << servers for authentication
292 Overview, is also desirable. >> should be << servers
3rd for authentication is recommended. >>
paragraph
Brocade-7 E 228 D.2.8.1 "The database can be certificate, defined Make recommended correction
security set, active security set, or Zone set."
s/b "The database is a certificate, a defined
security set, an active security set, or a Zone
set."
IBM - Penokie- E 229 B.2.2 Digest The statement << It is possible and
293 Algorithm desirable that future extensions to the
RADIUS standards add SHA-1 and other >>
should be << Future extensions to the
RADIUS standards may add SHA-1 and
other >>
IBM - Penokie- E 229 B.3.1 ###################################
294 Message
Types, 1st
paragraph
Page 139 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 229 B.3.1 The statement << transmitted from highest
295 Message order (first ) to lowest order (last ).>> should
Types, 2nd be << transmitted from highest order (i.e.,
paragraph first ) to lowest order (i.e., last ).>>
IBM - Penokie- E 229 B.3.1 The statement << with an invalid Code field,
297 Message it is silently discarded. >> should be << with
Types, Code an invalid Code field, it is ignored. >>
description
IBM - Penokie- E 229 B.3.1 The statement << The RADIUS message
298 Message Codes (decimal) this standard are listed in
Types, Code table A.2. >> should be << The RADIUS
description message Codes are listed in table A.2. >>
IBM - Penokie- E 229 B.3.1 The statement << independent value not to
299 Message be confused with the T_ID. >> should be <<
Types, independent value unlike T_ID. >>
Identifier
discussion
IBM - Penokie- E 229 B.3.1 The statement << they are treated as
300 Message padding and ignored on reception. >>
Types, should be << they are ignored on reception.
Length >>
description
IBM - Penokie- E 229 B.3.1 The tables in this annex are all mislabeled.
296 Message They should be B.x not A.x.
Types, Table
A.1
IBM - Penokie- E 230 B.3.1 The statement << authentication examples
304 Message are provided in RADIUS Attributes
Types, subclauses. >> should be << authentication
Attributes examples are provided in B.3.2. >>
definition
IBM - Penokie- E 230 B.3.1 The statement << authentication examples
303 Message in this document and should be set to zero.
Types, >> should be << authentication examples in
Authenticator this annex and should be set to zero. >>
description
IBM - Penokie- E 230 B.3.1 The statement << Length field indicates, it is
301 Message silently discarded. >> should be << Length
Types, field indicates, it is ignored. >>
Length
description
Page 140 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 230 B.3.1 The statement << message is 20 bytes and
302 Message maximum length is 4096 bytes. >> should
Types, be << message is 20 bytes and maximum
Length length is 4 096 bytes. >>
description
Brocade-11 E 230 D.2.8.5 "Optional policies are policies that may or The text should be changed to
may not be enforced by the switch. If a read "Optional policies are policies
switch receives a policy that it either does that may or may not be enforced
not or cannot enforce, it still retains it." by the switch. A switch shall retain
should be rewritten for clarity and to remove optional policies even if it does not
the "cannot". enforce such a policy."
Brocade-34 E 230 D.2.8.5 "Mandatory" is used not as a keyword in this Make recommended change in all
location, but rather as a policy type. I places, using global search for
propose that for this case it be changed to mandatory and optional to identify
read "Mandatory Policy Type". Similarly the cases.
"optional" should be changed to read
"Optional Policy Type".
IBM - Penokie- E 231 B.3.2.1 User- The statement << The User-Name now
305 Name, 3rd becomes 'Ox_2B17ACDE48000080'. >>
paragraph should be << The User-Name in the
after table previous example now becomes
A.4 'Ox_2B17ACDE48000080'. >>
ENDL-178 E 232 B.3.2.1 User- could be compromised may be compromised
Name, 1st p
on pg, s 1
IBM - Penokie- E 232 B.3.2.1 User- The statement << but interoperability could
306 Name, Last be compromised. >> should be << but
paragraph interoperability may be compromised. >>
IBM - Penokie- E 233 B.4.1 The statement << Example of both methods
307 RADIUS are given in the discussion. >> should be <<
Authenticatio Example of both methods are given this
n Method, 1st annex. >>
paragraph
ENDL-179 E 233 B.4.1 convey identify (alternatively, specify\
RADIUS
Authenticatio
n Method,
2nd to last p
on pg, s 1
Page 141 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 233 B.4.1 The statement << are used. As an example,
308 RADIUS SHA-1 is 20 bytes. >> should be << are
Authenticatio used (e.g., SHA-1 is 20 bytes). >>
n Method, 5th
paragraph
IBM - Penokie- E 233 B.4.1 The statement << Note that the Identifier in
309 RADIUS RADIUS message is used the >> should be
Authenticatio << The Identifier in RADIUS message is
n Method, 5th used the >>
paragraph
IBM - Penokie- E 233 B.4.1 The statement <<This discussion uses the
310 RADIUS conventions of this standard >> should be
Authenticatio << This annex uses the conventions of this
n Method, 7th standard >>
paragraph
Brocade-12 E 233 D.2.2.8, "Cannot Save" should be "Save Failed" Make recommended correction
Table A.18
IBM - Penokie- E 234 B.4.2 The statement << This discussion also
311 RADIUS includes an example of the optional bi-
Authenticatio directional authentication. >> should be <<
n with NULL This subclause also includes an example of
DH option, the optional bi-directional authentication. >>
1st
paragraph
McDATA-366 E 234 D.3.5 Add "The SFC, UFC, etc. are
"Fabric Management inter-switch destined to the Domain
frames.... The messages are destined Controller." to the end of the
to either the Fabric Controller (i.e., paragraph above table A.22.
Destination Identifier of FFFFFDh)
or Domain Controller ..."
Clarify that SFC and UFC frames are
destined to the Domain Controller.
IBM - Penokie- E 235 B.4.2 The statement << hash identifier (currently
312 RADIUS RADIUS only supports MD5), the NULL DH
Authenticatio group >> should be << hash identifier (i.e.,
n with NULL the RADIUS only supports MD5), the NULL
DH option, DH group >>
2nd
paragraph
Page 142 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 235 B.4.2 The figures in this annex are all mislabeled.
313 RADIUS They should be B.x not A.x.
Authenticatio
n with NULL
DH option,
Figure A.1
Brocade-15 E 235 D.3.6 Hanging paragraph hunt was very Make recommended correction
successful, but they slipped some in in on
you at D.3.6, D.3.7, and D.3.8, . They need
to be repaired.
McDATA-367 E 236 5. Section At Change Restrict Policy: to bold
D.3.6 EFMD "Restrict Policy: This field contains a value characters.
Request of one....."
Payload the Title "Restrict Policy should be bold.
IBM - Penokie- E 236 B.4.3 Bi- The statement << Any FC entity may
314 Directional request a >> should be << Any Fibre
Authenticatio Channel entity may request a >>
n with
RADIUS, 1st
paragraph
ENDL-180 E 237 B.4.4 which is then used that is then used
RADIUS
Authenticatio
n with DH
option, p 2,
last s in p
Blocade-13 E 237 D.3.6.3 "Cannot Exchange Membership Data" Make recommended correction
should be "Exchange Membership Data
Failed"
McDATA-368 E 237 D.3.7 Fix typo.
Exchange ".....Additionaly, through administration...."
Security Should be
Attributes ".....Additionally, through administration..."
(ESA)
Brocade-35 E 238 D.3.7.1 "Mandatory" is used not as a keyword in this Make recommended change here.
location, but rather as a policy requirement A similar change is required on
from a neighboring switch. Delete the word page 239
McDATA-369 E 240 Change Remove Change Notification Definition.
Notification
Definition
Page 143 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-181 E 241 D.1 'the Fabric Policies section of the FC-SP Change the cited text to 'clause 7'
Overview, p normative standard' is wordy indirect way of as a cross reference.
1, s 1 describing clause 7.
IBM - Penokie- E 241 D.2.2 FMPS The statement << Unlike Zoning, which can
315 Hierarchy have many defined sets, security has only
Model, 1st one defined policy set. >> should be <<
paragraph Unlike Zoning, which may have many
defined sets, security has only one defined
policy set. >>
IBM - Penokie- E 241 D.2.2 FMPS ###################################
317 Hierarchy
Model, 2md
paragraph
IBM - Penokie- E 241 D.2.2 FMPS The statement << Member type can be any
316 Hierarchy form >> should be << Member type may be
Model, 2nd any form >>
paragraph
ENDL-182 E 241 D.2.2 FMPS which can have allowing
Hierarchy
Model, p 1,
last s in p
ENDL-183 E 241 D.2.2 FMPS can be may be
Hierarchy
Model, p 2, s
2
IBM - Penokie- E 242 D.2.3 Policy The statement << RSNMP (read SNMP)
318 Description, policy, the WSNMP (write SNMP) policy, the
a,b,c list item TELNET >> should be << RSNMP (i.e., read
a) SNMP) policy, the WSNMP (i.e., write
SNMP) policy, the TELNET >>
IBM - Penokie- E 242 D.2.4 Policy The statement << and zone set can be done
319 Distribution through any SCS to >> should be << and
zone set may be done through any SCS to
>>
ENDL-185 E 242 D.2.4 Policy switch/switches switches
Distribution, p
1, last s in p
ENDL-184 E 242 D.2.4 Policy can be done may be performed
Distribution, p
1, s 3
Page 144 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 242 D.2.5 The statement << The Administrator can
320 Signature, use the time of the stamp as >> should be
Version << The Administrator may use the time of
Stamp, and the stamp as >>
Timestamp,
2nd
paragraph
IBM - Penokie- E 242 D.2.5 The statement << The latest time doesn't
321 Signature, necessarily mean that the policy set should
Version be used, >> should be << The latest time
Stamp, and doesn't mean that the policy set should be
Timestamp, used, >>
2nd
paragraph
ENDL-186 E 242 D.2.5 can use may use
Signature,
Version
Stamp, and
Timestamp, p
2, s 4
ENDL-187 E 242 D.2.5 doesn't does not
Signature,
Version
Stamp, and
Timestamp, p
2, s 5
IBM - Penokie- E 243 D.2.6 FMPS None of the a.b.c lists in this section have
324 Object the correct format. They all need to be fixed.
Structure
IBM - Penokie- E 243 D.2.6 FMPS The statement << This section describes
322 Object policy entities such as policy object, >>
Structure, 1st should be << This subclause describes
paragraph policy entities such as policy object, >>
IBM - Penokie- E 243 D.2.6 FMPS The statement in the ()s in the statement <<
323 Object Zoning set and security policy set (defined
Structure, 1st and active). >> make no sense. This needs
paragraph to be fixed.
ENDL-190 E 243 D.2.6 FMPS FC-SW FC-SW-3
Object
Structure,
Note 33, s 1
Page 145 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-188 E 243 D.2.6 FMPS This section This subclause
Object
Structure, p
1, s 1
ENDL-189 E 243 D.2.6 FMPS can be may be
Object
Structure,
Security
Policy Set
Object
IBM - Penokie- E 243 D.2.6 FMPS The statement << The security policy set
325 Object can be either defined or active set. >>
Structure, should be << he security policy set may be
Security either defined or active set. >>
Policy Set
Object
description
IBM - Penokie- E 243 D.2.7.1 The statement << This section details how a
326 Overview, 1st secure fabric is initialized >> should be <<
paragraph This subclause details how a secure fabric is
initialized >>
ENDL-191 E 243 D.2.7.1 This section details This subclause describes
Overview, p
1, s 1
IBM - Penokie- E 244 D.2.7.2 ###################################
327 Protocol
Requirement
s, 2nd
paragraph
IBM - Penokie- E 244 D.2.7.3 None of the a.b.c lists in this section have
333 Fabric the correct format. They all need to be fixed.
Initialization
Process
IBM - Penokie- E 244 D.2.7.3 The statement << each SCS switch
332 Fabric examines its 'reachable domain list' to
Initialization determine which >> should be << each SCS
Process, 1st switch examines its reachable domain list to
a,b,c list item determine which >>
a)
IBM - Penokie- E 244 D.2.7.3 The statement << process is done, two
328 Fabric adjacent switches >> should be << process
Initialization is complete, two adjacent switches >>
Process, 2nd
paragraph
Page 146 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 244 D.2.7.3 The statement << switch can join to the
329 Fabric secure fabric or not. >> should be << switch
Initialization as able to join to the secure fabric or not. >>
Process, 2nd
paragraph
IBM - Penokie- E 244 D.2.7.3 The statement << switches have exactly the
330 Fabric same SCS list to receive >> should be <<
Initialization switches have the same SCS list to receive
Process, 2nd >>
paragraph
IBM - Penokie- E 244 D.2.7.3 The statement << stamp means the switch
331 Fabric is willing to accept a downloaded security
Initialization database >> should be << stamp means the
Process, 2nd switch is able to accept a downloaded
paragraph security database >>
IBM - Penokie- E 244 D.2.7.3 The statement << It cannot perform fabric-
334 Fabric wide security management >> should be <<
Initialization It is not able to perform fabric-wide security
Process, note management >>
34
ENDL-194 E 244 D.2.7.3 In the worst case, if no primary SCS switch In the worst case (i.e., if no
Fabric comes up, a switch primary SCS switch is found in the
Initialization fabric), a switch
Process,
Note 34, s 1
ENDL-195 E 244 D.2.7.3 It cannot perform It is unable to perform
Fabric
Initialization
Process,
Note 34, s 2
ENDL-192 E 244 D.2.7.3 can join is allowed to join
Fabric
Initialization
Process,
Stage 1- SCS
list and
version
stamp
exchange
Page 147 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-193 E 244 D.2.7.3 which downloads that downloads
Fabric
Initialization
Process,
Stage 2, list
entry a, p 1,
last s in p
IBM - Penokie- E 244 D.2.7.3 The statement << type of switch (primary
335 Fabric SCS, non-primary SCS or non-SCS), each
Initialization >> should be << type of switch (i.e., primary
Process, SCS, non-primary SCS or non-SCS), each
Stage 3 >>
description
IBM - Penokie- E 245 D.2.7.4 The statement << When new switches join
336 Fabric Join, the fabric and become 'reachable', the
1st primary >> should be << When new
paragraph switches join the fabric and become
reachable, the primary >>
IBM - Penokie- E 245 D.2.7.4 The statement << fabrics successfully; both
337 Fabric Join, have the same SCS list to agree >> should
2nd be << fabrics successfully both have the
paragraph same SCS list to agree >>
IBM - Penokie- E 245 D.2.7.4 The statement << SCS and backup (non-
338 Fabric Join, primary) SCS switches. >> should be <<
2nd SCS and backup (i.e., non-primary) SCS
paragraph switches. >>
IBM - Penokie- E 245 D.2.7.4 The statement << stamps set to 0 to signal
339 Fabric Join, that the switch is willing to accept the others
2nd security database. >> has two problems and
paragraph should be << stamps set to zero to signal
that the switch is able to accept the others
security database. >>
IBM - Penokie- E 245 D.2.7.5 Full The statement << policy sets (defined and
340 Database active) in one payload. >> should be <<
Distribution policy sets (i.e., defined and active) in one
During payload. >>
Initialization
and Joining
Process, 1st
paragraph
Page 148 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 245 D.2.7.6 The statement << However, all user-initiated
341 Database changes can be done on any SCS switch.
Distribution >> should be << However, all user-initiated
Request from changes may be done on any SCS switch.
an >>
administrator,
1st
paragraph
ENDL-196 E 245 D.2.7.6 can be done may be performed
Database
Distribution
Request from
an
administrator,
p 1, s 2
ENDL-197 E 246 D.2.8.1 exchange/download exchange or download
General
Download
Request
Format,
Addressing, p
1, s 1
IBM - Penokie- E 246 D.2.8.1 The statement << The version stamp field is
342 General set to 0. >> should be << The version stamp
Download field is set to zero. >>
Request
Format,
Payload
description
3rd
paragraph
IBM - Penokie- E 246 D.2.8.1 The statement << SCS, so the receiver can
343 General get the public key to verify the signature >>
Download should be << SCS, so the receiver is able to
Request get the public key to verify the signature >>
Format,
Payload
description
4thparagarph
Page 149 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-198 E 246 D.2.8.1 doesn't does not
General
Download
Request
Format,
Payload, p 2,
s1
ENDL-199 E 246 D.2.8.1 can be used may be used
General
Download
Request
Format,
Payload, p 3,
s2
ENDL-200 E 246 D.2.8.1 can get is able to obtain
General
Download
Request
Format,
Payload, p 4,
s2
ENDL-201 E 247 D.2.8.1 hex '72' 72h
General
Download
Request
Format, 1st p
after table
A.8, s 1
IBM - Penokie- E 247 D.2.8.1 The statement << This value is set to hex
345 General '72' to indicate this internal link >> should be
Download << This value is set to 72h to indicate this
Request internal link >>
Format, SEC
ILS Code
description
IBM - Penokie- E 247 D.2.8.1 The tables in this annex are all mislabeled.
344 General They should be D.x not A.x.
Download
Request
Format,
Table A.8
Page 150 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 248 D.2.8.1 The statement << certificate. 0 if not used.
348 General >> should be << certificate. Set to zero if not
Download used. >>
Request
Format,
Certificate
Length
description
IBM - Penokie- E 248 D.2.8.1 The statement << Set to 0 if it is not used.
347 General >> should be << Set to zero if it is not used.
Download >>
Request
Format,
Database
Length
description
ENDL-202 E 248 D.2.8.1 can be may be
General
Download
Request
Format, last p
in subclause
IBM - Penokie- E 248 D.2.8.1 The statement << Set to 0 if it is not used.
346 General >> should be << Set to zero if it is not used.
Download >>
Request
Format,
Signature
Length
description
IBM - Penokie- E 249 D.2.8.3 The statement << The request can
349 Security download either one or both of them. >>
Policy should be << The request may download
Download either one or both of them. >>
Request, 1st
paragraph
Page 151 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 249 D.2.8.3 The statement << This field is set to 0 if
353 Security there >> should be << This field is set to
Policy zero if there >>
Download
Request,
Active
Database Set
Length
description
IBM - Penokie- E 249 D.2.8.3 The statement << It needs to send its
350 Security certificate so the receiving switches can get
Policy the public key >> should be << It sends its
Download certificate so the receiving switches are able
Request, to get the public key >>
Certificate
Object
description
IBM - Penokie- E 249 D.2.8.3 The statement << This field is set to 0 if
351 Security there is no defined >> should be << This
Policy field is set to zero if there is no defined >>
Download
Request,
Defined
Database Set
Length
description
IBM - Penokie- E 249 D.2.8.3 The statement << This field is set to 0 if
354 Security there >> should be << This field is set to
Policy zero if there >>
Download
Request,
Number of
Active
Policies
description
IBM - Penokie- E 249 D.2.8.3 The statement << This field is set to 0 if
352 Security there is no defined >> should be << This
Policy field is set to zero if there is no defined >>
Download
Request,
Number of
Defined
Policies
description
Page 152 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-203 E 249 D.2.8.3 can download may download
Security
Policy
Download
Request, p 1,
s2
ENDL-204 E 249 D.2.8.3 doesn't does not
Security
Policy
Download
Request, p 2,
s1
ENDL-206 E 249 D.2.8.4 can get are able to get
Security
Policy Set
Object, 1st p
after table
A.12, s3
ENDL-205 E 249 D.2.8.4 which has many that has many
Security
Policy Set
Object, p 1, s
2
IBM - Penokie- E 250 D.2.8.3 The statement << If a switch receives a
355 Security policy that it either does not or cannot
Policy enforce, it still retains it. >> should be << If a
Download switch receives a policy that it is not able to
Request, enforce, it still retains it. >>
Type
description
ENDL-207 E 250 D.2.8.5 cannot is unable to
Security
Policy Object,
1st p after
table A.13, s
4
IBM - Penokie- E 251 D.2.8.3 The statement <<Name can not contain
356 Security spaces >> should be << Name is not able to
Policy contain spaces >>
Download
Request,
Policy Name
description
Page 153 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 251 D.2.8.3 ###################################
357 Security
Policy
Download
Request,
Policy Name
description
ENDL-208 E 251 D.2.8.5 Other field defintions in this subclause are 'Length' [s/b] 'length'
Security not capitalized like this.
Policy Object,
1st p after
table A.15, s
1
ENDL-211 E 251 D.2.8.5 (Name of the policy should relate to the The name of the policy should
Security function of the policy. E.g., TELNET policy is relate to the function of the policy
Policy Object, used to authorize telnet connection to the (e.g., TELNET policy is used to
2nd p after switch). authorize telnet connection to the
table A.15 switch).
ENDL-209 E 251 D.2.8.5 Other field defintions in this subclause are 'Name' [s/b] 'name'
Security not capitalized like this.
Policy Object,
2nd p after
table A.15, s
1
ENDL-210 E 251 D.2.8.5 Name can not contain The name is not allowed to
Security contain
Policy Object,
2nd p after
table A.15, s
2
ENDL-213 E 252 D.2.8.7 Zone FC-SW [twice] FC-SW-3
Set Object
Structure, p
1, s 1 & last s
in p
ENDL-214 E 252 D.2.8.7 Zone can be used may be used
Set Object
Structure, p
1, s 4
Page 154 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 252 D.2.8.8 The statement << It could be either reject or
358 General accept payload. >> should be << The
Download primary SCS may either reject or accept the
Accept payload. >>
Format, 1st
paragraph
IBM - Penokie- E 252 D.2.8.8 ###################################
359 General
Download
Accept
Format, 2nd
paragraph
ENDL-215 E 252 D.2.8.8 The payload The payload described in this
General subclause
Download
Accept
Format, p 1,
s1
ENDL-216 E 252 D.2.8.8 It could be It may be
General
Download
Accept
Format, p 1,
s2
ENDL-217 E 252 D.2.8.8 This paragraph is not a note. Delete 'Note:'
General
Download
Accept
Format, p 2,
s1
ENDL-218 E 252 D.2.8.8 can use may use
General
Download
Accept
Format, p 2,
s1
ENDL-219 E 252 D.2.8.8 FC-SW FC-SW-3
General
Download
Accept
Format, p 2,
s1
Page 155 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-220 E 252 D.2.8.8 this new payload this payload
General
Download
Accept
Format, p 2,
s1
ENDL-221 E 252 D.2.8.8 This section This subclause
General
Download
Accept
Format, p 2,
s2
IBM - Penokie- E 253 D.3.1 Fabric The statement << E_Ports is updated to
360 Binding reflect the 'Invalid Attachment' >> should be
Overview, << E_Ports is updated to reflect the Invalid
2nd Attachment >>
paragraph
IBM - Penokie- E 254 D.3.2 Joining The statement << corresponding port state
361 Switches, to 'Invalid Attachment' >> should be <<
2nd corresponding port state to Invalid
paragraph Attachment >>
ENDL-222 E 254 D.3.2 Joining fabric ,of fabric, of [space after comma, not
Switches, p before]
2, s 1
IBM - Penokie- E 255 D.3.6.1 The statement << Is set to 00000001h. >>
362 EFMD should be << Is set to 0000 0001h. >>
Request
Payload,
Revision
description
IBM - Penokie- E 256 D.3.6.1 The statement << with reason code of
363 EFMD Command Not Supported. >> should be <<
Request with reason code of 'Command Not
Payload, 1st Supported'. >>
paragraph
after table
A.24
Page 156 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
ENDL-223 E 256 D.3.6.1 which is used that is used
EFMD
Request
Payload,
Fabric
Binding
Membership
List Entry, p
2, s 5
ENDL-224 E 257 D.3.6.3 FC-SW FC-SW-3
EFMD Accept
Payload,
table A.26,
row 3
IBM - Penokie- E 257 D.3.7 The statement << two switches to determine
364 Exchange if compatible security enforcement can be
Security established and enforced by the >> should
Attributes be << two switches to determine if
(ESA), 1st compatible security enforcement is able to
paragraph be established and enforced by the >>
ENDL-225 E 257 D.3.7 if compatible security enforcement can be if it is possible to establish and
Exchange established and enforced by the formation of enforce compatibly security
Security the switches into a fabric functions if the switches are joined
Attributes in a single fabric
(ESA), p 1, s
2
ENDL-226 E 258 D.3.7.1 ESA ensures that it will join operates such that it joins
Request
Payload, Bit
1 - Insistent
Domain Id, s
2
IBM - Penokie- E 258 D.3.7.1 ESA The statement << Is set to 00000001h. >>
365 Request should be << Is set to 0000 0001h. >>
Payload,
Revision
description
Page 157 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 258 D.3.7.2 ###################################
366 Enforced
Security
Attribute
Object, Bit 1-
Insistent
Domain Id
description
IBM - Penokie- E 259 D.3.7.3 Use The quotes around the reason code and the
367 of Enforced reason code explanation should be single
Security quotes not double quotes.
Attribute and
Required
Security
Attribute
Mask
ENDL-227 E 259 D.3.7.4 Bit 0-31 Bit 0 .. 31
Extended
Security
Attribute
Object, p 2, s
1
IBM - Penokie- E 259 D.3.7.5 Use The quotes around the reason code and the
368 of Extended reason code explanation should be single
Security quotes not double quotes.
Attribute and
Required
Extended
Security
Attribute
Mask
IBM - Penokie- E 259 D.3.7.6 ESA The statement << Is set to 00000001h. >>
369 Accept should be << Is set to 0000 0001h. >>
Payload,
Revision
description
IBM - Penokie- E 260 D.3.8.1 QSA The statement << Is set to 00000001h. >>
370 Version 1 should be << Is set to 0000 0001h. >>
Request
Payload,
Revision
description
Page 158 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Penokie- E 260 D.3.8.2 QSA The statement << Revision field is set to
371 Version 1 00000001h. >> should be << Revision field
Accept is set to 0000 0001h. >>
Payload
Brocade-21 E all all As a rule of thumb, text should be ragged Make recommended correction
right with no hyphenation for best
readability. A classic example of the
problems of justifying both sides and
allowing hypenation is clause 3.1.
QLogic-07 E cover cover Change FC-SP chair to David Black.
Brocade-16 E Cover Cover Correct phone numbers: Make recommended correction
Snively: office is 408-333-8135.
Snively: no fax number
CNT-7 E Global 8 Change bars. Remove change bars when
finished.
CNT-11 E Global 4.1 p1,s2 Fabric or fabric Pick fabric or Fabric and use it
consistently.
CNT-2 E Global xii Consistent use of upper or lower case in Pick upper or lower case and be
headings, figures, and tables. See headings consistent.
8.3 and 8.4 versus the other headings.
CNT-3 E Global xiv Blank pages Remove all blank pages.
McDATA-1 E I Points of Jim is no longer with Brocade. Use current facilitator
Contact
CNT-9 E ii Revision history Remove when finished.
Veritas-1 E ii Release Notes need to be deleted before LB
McDATA-2 E iii Abstract This is a run-on sentence. Break it up into several sentences
and don't use "protocols" so much.
Brocade-43 E iv Patent notice There are patents associated with this Change patent disclaimer to the
document, particularly those associated with proper disclaimer for documents
SRP. At least one company has indicated covered by patents. See whatever
its willingness to meet the ANSI patent replaced SD-9 on the INCITS web-
requirements. site.
CNT-1 E ix Table of No Table of Contents heading Add heading
Contents
Brocade-2 E v Foreword The word "which" should almost always be Replace "which" with "that" on
deleted or replaced with the word "that". In pages v, vi, 69,
some cases other rewrites are desirable. Examples of special concern are
There are also some cases where "which" on pages 15, 16, 38, 52, 57, 58,
should be replaced with "the ___ that" 67, 68, 69 and many others. All
cases of "which" should be
globally searched for and adjusted
accordingly.
Page 159 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
McDATA-3 E v Foreword The first paragraph is redundant. Write something original.
Veritas-2 E v Foreword Dates in second para need to be updated.
McDATA-4 E v Foreword, "The standards approval process started in delete the sentence.
second 2003." is unnecessary.
paragraph
QLogic-08 E viii Acknowledge I recommend we add a special Worded something like: "The
ments acknowledgement to Jim. editor and working group would
like to extend a special thanks to
Jim Klensteiber for his knowledge
and leadership as Chair of the FC-
SP working group."
CNT-10 E viii Introduction Have not learned Italian yet. Convert intro text to English.
McDATA-5 E viii Introduction We're not in Rome, get rid of the Latin. Write English and don't repeat the
Foreword.
Veritas-3 E viii Introduction Non intellego! Jacet ingens litore trunkus Lucide scribe. Fiat lux
avulsumque umeris caput et sine nomine
corpus (Careful you don't end up like Priam!)
Emulex-038 E viii The title of the first section on the page uses Introductus?
terminology inconsistent with the body of the
section.
McDATA-6 E xiv blank page delete all blank pages. Do a global search.
Brocade-17 E xiv Blank pages here are not necessary. The Make recommended correction.
only places they appear to be desirable are This should also be applied to
to place Scope on "page 1" and to place the page 14 and perhaps some other
first page of the first annex on a right hand pages.
page.
CNT-4 E xv List of No List of Figures heading Add heading
Figures
CNT-5 E xvi List of Tables No List of Tables heading Add heading
IBM - Dugan- E 6.5 A definition for IKE and Child is needed.
373
IBM - Dugan- E 8.6 The title needs to be restructured. Suggest
377 the following: Nx_Port to Fabric
Authentication (NFA) State Machine.
IBM - Dugan- E 8.7 The title of Clause 8.7 needs to be
378 restructured. Suggest the following: Fabric
to Nx_Port Authentication (FNA) State
Machine.
IBM - Dugan- E 7.5.3.2 Table 182, change text from i.e to e.g. since
374 there may be future extensions.
IBM - Dugan- E 7.5.4 The LS_RJT is subject to the rule 3 below.
375 The sentence needs to be re-worded.
Page 160 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
IBM - Dugan- E 8.5.4.5 There should be some suggested
376 implementation notes on when a Login
should be attempted following a LOGO.
Without this information, an implementation
could cause a traffic bottleneck.
IBM - Dugan- E Intro The introduction text should be written in
372 English.
McDATA-158 67 6.1.2 title IKE_SA_INIT in not a protocol. Remove protocol from title.
McDATA-211 84 6.3.5 Missing 6.3.5 for Certificate Request Add.
Payload.
McDATA-302 177 8.1 shouldn't this term be defined in 8.2: "Entity
Authentication"?
McDATA-314 179 8.4.2 The intent of this first para is unclear.
Maybe a note could be added describing the
intent?
McDATA-319 180 b) The intent of this para is unclear. Maybe a
note could be added describing the intent,
with examples and counterexamples?
McDATA-320 180 the 2 The intent of this para is unclear. Maybe a
paragraphs note could be added describing the intent,
above 8.4.3 with examples and counterexamples?
and both
paragraphs
of 8.4.3
McDATA-354 190 8.6.4.15 first Consistently refer to an easy to understand
sentence name (NFA_S5 - name...).
McDATA-355 191 8.7.1 par 3 Says: "The FNA state machine shall be
specified....
....and the NFA state machine shall cause
no action or state change"
Is the above statement referring to NFA
state machine correctly ?
McDATA-358 197 8.8.1 par 3 Says:
"The NNA state machine shall be
specified....
....and the NFA state machine shall cause
no action or state change"
Is the above statement referring to NFA
state machine correct ?
Page 161 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #36 PDF 6.3.2.1 ###################################
Page Payload
100 Structure
HPQ #38 PDF 6.3.2.1 Table 73 - DH Groups Transform_IDs After
Page Payload each "nnnn bit" add "modular exponential
100 Structure (MODP) group"
HPQ #39 PDF 6.3.2.1 Table 73 DH Groups Transform_IDs
Page Payload Change Groups to Group in table title
100 Structure
HPQ #40 PDF 6.3.2.1 Table 72 Integrity Algorithms Transform_IDs
Page Payload In note b, change AUTH_HMAC_SHA1_128
100 Structure to AUTH_HMAC_SHA1_160
HPQ #37 PDF Delete Usually naming sections other documents is
Page "Appendix B prohibited (although since RFCs never
100 of" change once published, that might not be
true). However, appendix B doesn't seem
right anyway. The group is defined in section
6.1 of that standard.
HPQ #34 PDF Table 71 Add a reference for PRF_AES_CBC
Page (Probably FIPS 197 for AES and FIPS
100 SP800-38A for the CBC mode)
HPQ #35 PDF Table 72 Fix TBDs
Page Integrity
100 Algorithms
Transform_ID
s
HPQ #41 PDF 6.3.2.2 Fix TBD in the required encryption algorithm
Page Mandatory for ESP_Header list.
101 Transform_ID
s
HPQ #42 PDF 6.3.2.2 Fix TBD in the required integrity algorithm
Page Mandatory for ESP_Header list.
101 Transform_ID
s
HPQ #43 PDF 6.3.2.2 After the last item b) add a period
Page Mandatory
101 Transform_ID
s
HPQ #44 PDF 6.3.2.2 first item b) Either delete "group" from
Page Mandatory "group 14 (2048 bit)" or add it before the "2
101 Transform_ID (1024 bits)."
s
Page 162 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #45 PDF 6.3.2.2 Change "1024 bits" to "1024 bit"
Page Mandatory
101 Transform_ID
s
HPQ #46 PDF 6.3.2.3 Change document to standard
Page Transform
102 Attributes
Definition
HPQ #47 PDF 6.3.2.4 Use Fix TBDs
Page of the SA
103 Paypload
with
CT_Authentic
ation
HPQ #48 PDF 6.4.1 Change the to The
Page Overview
105
HPQ #49 PDF 6.4.2 Change "document" to "standard"
Page Encrypted
106 Payload
HPQ #50 PDF 6.4.3 Table 83 - Type Identifiers Fix TBD
Page Identification
107 Payload
HPQ #51 PDF 6.4.5 Traffic Fix TBD after table 87
Page Selector
109 Payload
HPQ #52 PDF 6.4.7 Change document to standard
Page Certification
112 Request
Payload
HPQ #53 PDF 6.6.2 Notify Table 96 Change Sheet to Part
Page Payload
117
HPQ #54 PDF 6.7.3 After "Authentication Protocol Identifier" add
Page AUTH_Negot "= 0000 0004h" to match format of other
124 iate IKEv2 authentication protocol identifier fields
Parameters
HPQ #56 PDF 6.7.3 Change 04h to 0000 0004h
Page AUTH_Negot
124 iate IKEv2
Parameters
Page 163 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #55 PDF 6.7.4 After "Authentication Protocol Identifier" add
Page AUTH_Negot "= 0000 0005h" to match format of other
124 iate IKEv2- authentication protocol identifier fields
AUTH
Parameters
HPQ #57 PDF 6.7.4 Change 05h to 0000 0005h
Page AUTH_Negot
124 iate IKEv2-
AUTH
Parameters
HPQ #58 PDF 6.8.6 item b) This standard does not appear to
Page Cryptographi define or support ENCR_3DES, so that
127 c Algorithms should not be in the example.
Negotiation
HPQ #59 PDF 6.8.6 Item b) There is not exactly an
Page Cryptographi AUTH_HMAC_MD5 or AUTH_HMAC_SHA1
127 c Algorithms transform ID - there are 2 of each
negotiation (AUTH_HMAC_MD5_96 and
AUTH_HMAC_MD5_128,
AUTH_HMAC_SHA1_96 and
AUTH_HMAC_SHA1_160).
HPQ #60 PDF 6.8.11 Change "this document" to "this standard" or
Page Generating "this clause"
131 Keying
Material
HPQ #61 PDF 6.8.12 five other secrets: Convert the list into an
Page Generating a)b)c)d)e) format
131 Keying
Material for
the IKE_SA
HPQ #62 PDF 7.1.8 Names Add h after each of the name tags
Page used to (assuming they are all hex values not
155 define decimal values)
Policies
HPQ #63 PDF 7.1.8 Names ###################################
Page used to
156 define
Policies
HPQ #64 PDF 7.4.2 Check Table 173 Fix TBD
Page Policy
180 Summary
HPQ #65 PDF 7.6.3.3 The Table 189 Fix TBD
Page Zoning
189 Check
Protocol
Page 164 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #66 PDF 7.6.5.2 Zone Table 196 Fix TBD
Page Information
194 Request
HPQ #67 PDF 8.1 Overview After "FC_Port;" add "or"
Page
197
HPQ #68 PDF 8.5.2.2 Change "to" to "to:"
Page Abandon
200 authenticatio
n request
HPQ #2 PDF 2.2 Approved ANSI INCITS 305-1998, SCSI Enclosures
Page 22 references Services (SES) Any reference to SES needs
to be accompanied by a reference to SES-
AM1. Add SES-2 to the References Under
Development section.
HPQ #3 PDF 2.4 Other RFC Editor, Information Sciences Institute,
Page 22 References University of Southern California, 4676
Admiralty Way, Suite 1001, Marina del Rey,
CA90292-6695; (310) 822-1511 or (310)
823-6714 (fax);" Isn't http://www.ietf.org
sufficient?
HPQ #69 PDF Annex A is
Page blank
225
HPQ #72 PDF B.1.1 Add a text line above the first a).
Page Objectives of
227 this annex
HPQ #70 PDF B.1.2 This text - requiring that random numbers
Page Random truly be random - might be worth including in
227 Number the main body as normative. Selecting the
Generator DH-CHAP values is not tied to RADIUS
deployment.
HPQ #71 PDF B.1.2 FCAP and FCPAP also use random
Page Random numbers (nonces and salts); include them in
227 Number the a)b)c)d) list.
Generator
HPQ #73 PDF B.3.1 Fix "A RADIUS messages is a one packet"
Page Message
229 types
HPQ #75 PDF B.3.2.1 User ###################################
Page Name
231
HPQ #74 PDF B.3.2.1 User- Change "one" to 0001h after table A.4
Page Name
231
Page 165 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #76 PDF B.3.2.2 When MD5 is used for DH-CHAP the
Page CHAP- attribute length is 19. Either delete this, or
232 Password add the length for SHA-1 (23) as well.
HPQ #77 PDF B.3.2.2 ###################################
Page CHAP-
232 Password
HPQ #78 PDF B.3.2.3 Change: This field is 16 bytes for MD5, and
Page CHAP- contains the Challenge Value. to: This field
233 Challenge contains the Challenge Value. This field is
18 bytes for MD5, and 22 bytes for SHA-1.
HPQ #79 PDF B.3.2.3 When MD5 is used for DH-CHAP the
Page CHAP- attribute length is 18. Add the SHA-1 length
233 Challenge too (22 bytes), or delete the sentence.
HPQ #80 PDF B.4.1 ought to be is not an ISO/ANSI term.
Page RADIUS
233 Authenticatio
n Method
HPQ #81 PDF D.2.8.1 Table A.10 Version Stamp Format Day 1 - 7
Page General Which day is day 1? Sunday?
248 Download
Request
Format
HPQ #82 PDF D.2.8.1 Table A.10 Version Stamp Format Year 0 -
Page General 99 seems open to a Y2K problem.
248 Download
Request
Format
HPQ #4 PDF 3.2 Add "nonce"
Page 25 Definitions
HPQ #5 PDF 3.4 Add: AES Advanced Encryption Standard
Page 27 Abbreviations (see FIPS-197) prf pseudo-random function
acronyms (see 6.8.11)
and symbols
HPQ #6 PDF 4.3 Change "may accommodate" to
Page 29 Authenticatio "accommodates" in last line on page
n
Infrastructure
HPQ #7 PDF 4.3 After "ESP_Header" add "(see FC-FS)".
Page 29 Authenticatio
n
Infrastructure
Page 166 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #8 PDF 4.4 Change "that they are communicating with"
Page 30 Authenticatio to "with which they are communicating."
n
HPQ #9 PDF 4.6.1 Policy Add a verb to "The Policy Summary Object
Page 31 Definition also an easy comparison of policy
configurations."
HPQ #10 PDF 5.1 Overview After "Transaction Identifier" add (T_ID)
Page 35 since it is used for the firsttime in the figure
following this paragraph.
HPQ #11 PDF 5.1 Overview ###################################
Page 36
HPQ #12 PDF 5.2.2 Somewhere in this section there should be a
Page 37 SW_ILS cross reference to FC-SW sinceit "owns" the
authenticatio SW_ILS code assignments.
n messages
HPQ #13 PDF 5.2.2 ELS Somewhere in this section there should be a
Page 38 authenticatio cross reference to FC-FS (orFC-LS?) since it
n messages "owns" the ELS code assignments.
HPQ #14 PDF 5.3.2 ###################################
Page 40 AUTH_Negot
iate Message
HPQ #15 PDF 5.3.3 Names Table 11 Change 0001 to 0001h
Page 41 used in
Authenticatio
n
HPQ #16 PDF 5.3.3 seems Authentication Protocols" 5.3.1 is an
Page 41 out of place. overview; 5.3.2, 5.3.4, and 5.3.5 are
5.3 is messages; 5.3.3 is not.Move it to 5.2
"Authenticatio instead - it's more related to 5.2.4 Fields
n Messages common to allAUTH messages.
Common to
HPQ #17 PDF 5.3.4 Table 15 Change Sheet to Part
Page 42 AUTH_Reject
Message
HPQ #18 PDF 5.4.2.1 After table 18 add: Authentication Protocol
Page 46 Overview Identifier: shall be set to 0000 0001h to
identify DH-CHAP.
HPQ #19 PDF 5.4.2.3 ###################################
Page 48 DHgIDList
Parameter
Page 167 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #20 PDF 5.4.2.3 Table 22 - DH Group Identifiers Table 22,
Page 48 DHgIDList buried in the DH-CHAP Protocol section, is
Parameter also referenced numerous times in 5.5
FCAP Protocol and 5.6 FCPAP Protocol.
Consider moving it up into 5.2 or 5.3, which
cover common structures.
HPQ #21 PDF 5.4.2.3 Table 22 - DH Group Identifiers Why is SRP-
Page 48 DHgIDList 768 excluded? Why are 3072, 4096, 614,
Parameter and 8192 bit not defined? HPQ #22 PDF
Page 55 5.5.2.1 Overview After table 27
add: Authentication Protocol Identifier: shall
be set to 0000 0002h to identify FCAP.
HPQ #23 PDF 5.5.2.35.5.3.1 Message Format Change "(see
Page 57 DHgIDListtable 22)" to "(see table 22 in 5.4.2.3)" to
Parameterhighlight that it's pointing into a different
authentication protocol's (DH-CHAP)
(for FCAP)
section. (two times on the page)
HPQ #24 PDF 5.5.3.2 FCAP Add " " around "03:01:04..."
Page 58 Certificate
Format
HPQ #25 PDF 5.5.4.2 FCAP Should there be a statement like this?
Page 60 Signature Support for the RSA-SHA1 signature format
Format is mandatory for FCAP. There's only one
defined now, but could be more later. For
SHA-1 hashing, a similar statement is
included although only SHA-1 is defined.
HPQ #26 PDF 5.6.2.1 After table 41 add: Authentication Protocol
Page 65 Overview Identifier: shall be set to 0000 0003h to
identify FCPAP.
HPQ #27 PDF 5.6.2.3 5.6.3 FCPAP_Init Message Change "(see
Page 67 DHgIDList table 22)" to "(see table 22 in 5.4.2.3)" to
Parameter highlight that it's pointing into a different
(for FCAP) authentication protocol's (DH-CHAP)
section. (two times on the page)
HPQ #1 PDF Introduction Please translate this gibberish into English.
Page 8
HPQ #28 PDF 6.3.2.1 (e.g., an SA_Initiator may want to propose
Page 94 Payload using (CT_Authentication with MD5) or
Structure (ESP_Header with MD5 and 3DES))." This
standard does not appear to define or
support 3DES, so that should not be in the
example.
Page 168 of 169
FC-SP Revision 1.6 Comments
01/17/2005 (05-030v0)
Company-# Techn Physical Section/table/ Problem Description Suggested solution Response Status Edit Status
ical Page figure locator
/Edito
rial
HPQ #29 PDF Table 65 - HMAC_MD5 needs to be _96 or _128
Page 96 Examples of (several times in this table)
proposals
HPQ #30 PDF 6.3.2.1 Table 67 - Security Protocol Identifiers Fix
Page 97 Payload the two TBDs
Structure
HPQ #31 PDF 6.3.2.1 NOTE 16, NOTE 17 (and possibly
Page 98 Payload elsewhere) I recommend using numeric
Structure values for the Transform_ID values rather
than two "three" and "zero" Hex format
would stand out even better.
HPQ #32 PDF Table 70 Add references for ENCR_AES_CBC and
Page 99 ENCR_AES_CTR Probably FIPS 197 for
AES and FIPS SP800-38A for the modes:
Recommendation for Block Cipher Modes of
Operation NIST Special Publication 800-
38A 2001 Edition
HPQ #33 PDF Table 70 - ###################################
Page 99 Encryption
Algorithms
Transform_ID
s
Meeting-1 T There is the need to select a couple of Pick an AES based algorithm and
9/15/2004 cryptographic algorithms and a couple of a non AES based algorithm for
integrity algorithms to be specified probably both integrity and encryption.
as must and should into the FC-SP 3DES-CBC is the most likely non
standard. We are not yet ready to evaluate AES based encryption algorithm.
GCM, the issue is momentarily deferred.
Page 169 of 169
