[IPsec] AD Review of draft-ietf-ipsecme-iptfs-12
Roman Danyliw <rdd@cert.org> Wed, 04 May 2022 21:19 UTC
Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4CFC159527 for <ipsec@ietfa.amsl.com>; Wed, 4 May 2022 14:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zLlcTu7k9Qn for <ipsec@ietfa.amsl.com>; Wed, 4 May 2022 14:19:53 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0131.outbound.protection.office365.us [23.103.209.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C799EC1594B9 for <ipsec@ietf.org>; Wed, 4 May 2022 14:19:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ahdXh5O5CP1oma7smS+ZbmmMRjlDLvQOz+dRfmTBgDafxhYE3/Y+S/FpqpYLDEJpVg3/o1UbEdpGhaAftUj9QQJ2a7CP8drq4wHT3jCkiUpRZl2200poUW1BsMn7az7wqFI0PV6WYeX3ooJO+9cyvoAVz3dNTgIVIPgmzqjVOpWbeQLGtPLsxn/q9NEfgZYE+N9j5vj/36SLpck3b2IfTv7SUT3yFlhqFOhE1LR8HfC0iveJA96gL5nbMDTqdzIMvo/qZwdV6kpFDFoThYQ4pLjwWupfzxMRaoAog1SI7SKvOblro4esYMA/xe0S510jWw8QuFgHz5gFsgYN43VQKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pBXQ3onytYeQgNrkh/zi/yXZXUvLcAN1aiHvGjWLn+w=; b=J9M7ox1T1S3Vw6f/FuObztOx2FWtBDYlXubGDCrQk2c4kQrC/dcBNGZ9I/ylfYeRC+a/1vtz9AGEbpptpX6GeSTQkePOzI80q/njugGUdcXbw67TeCo7n3phLD4eyzQz9X3Gun/3sEvaqOX9zIX+oCI43emiD4MNhBlt8+sAAju4Xv5N37qPomSDyyp+Ra9JuuTykIccLY01lYXrWFQSbc81K/hprOwx1eHqe2mGVBsJGcvd/cjh99+b7CQU/APUR9LeB7ijmiWXz2BqkfEIYl7yAMQ1SFHSNCdkz/3eZg/ZL80ZDxPdTVuuf3e4n6MduF1OIz20ej3Zu5lmQKWLwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pBXQ3onytYeQgNrkh/zi/yXZXUvLcAN1aiHvGjWLn+w=; b=LhF6IAe+iDvdb3KI3MgWyPn5KGnG9g6xLSwRdX0PMe9WhgwRrGJdwrCXW1LnMSfaeDdDGHn2brbF+4eY3J06kQPEhLsIu5dQkXhAYuV2AQYgIjq9KWfgNYu/N1rroIX1WQITljLJpsaTlDhxlw06ffB2fhQ6VLqyZGzhNqJWYOk=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1349.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:179::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.25; Wed, 4 May 2022 21:19:46 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722%6]) with mapi id 15.20.5186.028; Wed, 4 May 2022 21:19:46 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-iptfs-12
Thread-Index: Adhf+9Ju7w3kNfIOTOaRkFtCFTUGww==
Date: Wed, 04 May 2022 21:19:46 +0000
Message-ID: <BN2P110MB1107DF0E506843CDB2C9D0E7DCC39@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 879c6fc4-527c-471d-13c1-08da2e13d0a2
x-ms-traffictypediagnostic: BN2P110MB1349:EE_
x-microsoft-antispam-prvs: <BN2P110MB13496BD6DA4355CA8AD53315DCC39@BN2P110MB1349.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IKdUC9oOcQoIwLpztK+bTao08uzUsmPtRmIUyHv0O0DhFpgsMgWVv6gv1SP8yUyINRjGovVdmpWKpR0U5Ak8+oUCz8R16Kn71HIPR/UFlWHIBKqC/o/a62SmYGveFu8KhT7NYhSQEM8HsZV0Kx4risxbghEUqNo/qihLMPhh2FkwAbcwmvaUCOCH+ozSJJWsM9wJPO6B8ycnwqkqvijdizFjKfXkKt4ig7INS2AYxtlDrW6w+v5QpkOi4+/K1Gy/PJRa+IupPIB2l2Cw5Ske1cK1oIoYk3Q5mZbUpUlstPAEl+/N40JclDIxPFfWcVoovCdImc0eJV3qYL2HSn1cmpeMfcPYXG0+3CylPXVOcvBVqAFHaDeAxZ17zcmKdPq0yCEGROeOGGwRH5y9VNwlqjijWGh7Dvyn98bxCnQ42gMQSPHBu2sqG/3SfF/Vc5rPGCHGgKRBi1wRKwumFbO5APGj+8xPAaOtHa6i4dpbOsAGmhwsROSFPEiVBGbGB4RnTjbk/rIBnRbU50mPuL6jCyrYgs7FoeF9fLXNRBL1Svpfcdipgx65Pei63Ku5vrjphqehIUMNR8SxvKZ5yL9D3K6Vptd4PwJJgOEShA5HpfKBEdlwolb4d+vEqWbM52/G
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(6916009)(83380400001)(8676002)(66946007)(66446008)(66476007)(64756008)(76116006)(2906002)(66556008)(71200400001)(52536014)(498600001)(5660300002)(9686003)(8936002)(33656002)(7696005)(186003)(26005)(6506007)(38100700002)(38070700005)(86362001)(55016003)(122000001)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RsO6V/ag2zKUGRfOmf42i40vG6wPVCL4qNFhNpYviMxE4cAbhdcagGvKyLOlZ3v/FHIG2VqWu6RFy+r1ZURZgXpUm7JukkfPU8vVxlPnq0/PPvm/5uUeezhDOyrUAdp4C5TuDb418UxhOCOf1zIMICCW67E8PeAJ2S3Kq+5Hg6k2INcpxPN2gioC5IJBh+Bb5/kkSJ/UwgeTQxC9C6DZUZTjYm6AoJAIa4S1ylSuN1zBiVB/RT0C+He7q1pjA8EasPBO+zusyoVC4qWQ0PjVquB8pmn1yxaHciz/SQDW6Z7ReO/BvvbKQeVEydbj92T7b/24hhweW7ODPo2WhpswI1XHWJnspUKP5triFZni6kkrQajJQ5Rb5Ds228qnziU6sIXHkck8kH2fyxekW2WeXwoVQDcMYiPZ+6L0j4aU1ro=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 879c6fc4-527c-471d-13c1-08da2e13d0a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2022 21:19:46.5260 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1349
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Clv2rrhfTbHYZjd5L8N-JXlkgQE>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-iptfs-12
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 21:19:54 -0000
Hi! I performed an AD review of draft-ietf-ipsecme-iptfs-12. Thank you for this work and the patience of the WG in getting it processed. I have a number of comments below, but the document is in good shape so please process them concurrently with the IETF LC feedback. ** Thank you for getting an early TSVART review and addressing that feedback given congestion control issues this work raises ** Section 1. Editorial. OLD While directly obscuring the data with encryption [RFC4303], the traffic pattern itself exposes information due to variations in its shape and timing NEW While directly obscuring the data with encryption [RFC4303], the patterns in the message traffic may exposes information due to variations in its shape and timing. ** Section 2.1. Typo. s/the the/the/ ** Section 2.4.2.1. Enabling circuit breakers is also a reason a user may wish to enable congestion information reports ... Consider if s/a user may wish to/local policy may/ to generalize who is doing the tuning. There are a few other places were "user" is the noun tuning the stack. ** Section 3. Thus, to support congestion control the receiver must have a paired SA back to the sender Should the be a "MUST" (i.e., s/receiver must have/received MUST have)? ** Section 3. If the SA back to the sender is a non-AGGFRAG_PAYLOAD enabled SA then an AGGFRAG_PAYLOAD empty payload (i.e., header only) is used to convey the information. I'm missing something -- if the SA is not AGGFRAG_PAYLOAD-enabled, what how can it send anything AGGFRAG related? ** Section 4. All IP-TFS specific configuration should be specified at the unidirectional tunnel ingress (sending) side Should is used here. Not in the normative sense. What would be the alternative to specifying the unidirectional tunnels on the sending side? ** Section 4.1. For non-congestion controlled mode, the bandwidth SHOULD be configured. What would it mean for this not be configured? That the end-point set a packet size and rate? ** Section 4.3. Is this a generic statement that how congestion control is done is a local configuration option, or is this a Boolean configuration of use congestion control or not (aka, Section 6.1.1 vs. 6.1.2.?) ** Section 5.1. If any requirement flags are not understood or cannot be supported by the receiver then the receiver SHOULD NOT enable use of AGGFRAG_PAYLOAD Is the WG sure that this shouldn't be MUST NOT? What's the user case where you want to continue? ** Section 6.1.4. Typo. s/it's USE_AGGFRAG/its USE_AGGFRAG/ ** Section 7.1. Why the reference to RFC7120? Since this registry is going to be "Expert Review", this document doesn't apply. ** Section 7.1. To double check, there is no more guidance to provide to the expert reviewer? ** Section 8. Editorial. This document describes an aggregation and fragmentation mechanism and it use to add TFC to IP traffic. The use described is expected to increase the security of the traffic being transported. The first sentence doesn't parse and I recommend more precision on the second. Perhaps: NEW This document describes an aggregation and fragmentation mechanism to efficiently implement TFC for IP traffic. This approach is expected to reduce the efficacy of traffic analysis on IPSec communication. ** Section 8. Editorial. s/As noted in (Section 3.1)/As noted in Section 3.1,/ ** Section 8. As noted previously in Section 2.4.2, for TFC to be fully maintained ... What does it mean to for TFC to be "fully maintained"? Regards, Roman
- [IPsec] AD Review of draft-ietf-ipsecme-iptfs-12 Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-iptfs… Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-iptfs… Christian Hopps