[IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

<Pasi.Eronen@nokia.com> Thu, 17 September 2009 13:04 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A25E73A6A00 for <ipsec@core3.amsl.com>; Thu, 17 Sep 2009 06:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.409
X-Spam-Level:
X-Spam-Status: No, score=-6.409 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRp76s1QDbV4 for <ipsec@core3.amsl.com>; Thu, 17 Sep 2009 06:04:27 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 6F7E23A689F for <ipsec@ietf.org>; Thu, 17 Sep 2009 06:04:27 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n8HD4q5V002126 for <ipsec@ietf.org>; Thu, 17 Sep 2009 16:05:09 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:14 +0300
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:13 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 16:05:09 +0300
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Thu, 17 Sep 2009 15:05:06 +0200
From: Pasi.Eronen@nokia.com
To: ipsec@ietf.org
Date: Thu, 17 Sep 2009 15:05:04 +0200
Thread-Topic: AD review comments for draft-ietf-ipsecme-traffic-visibility
Thread-Index: Aco3l3kkjbL+0N0PT/mqG6eTSIFVVA==
Message-ID: <808FD6E27AD4884E94820BC333B2DB773C06B22D72@NOK-EUMSG-01.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Sep 2009 13:05:09.0525 (UTC) FILETIME=[7C1B8C50:01CA3797]
X-Nokia-AV: Clean
Subject: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2009 13:04:28 -0000

I've now done my AD review for draft-ietf-ipsecme-traffic-visibility-08.  
I have two substantive comments, and a bunch of minor clarifications/nits.  
The substantive comments first:

- A question: did the WG discuss the pros and cons of integrity
protecting the WESP header? (This does make WESP more complex to
implement, and currently the WESP header does not contain any data
that would benefit from integrity protection in any way.)

- IPv6 requires extension headers to be aligned on 8-octet boundaries,
and I believe this requirement applies to ESP, too (see e.g. RFC 4303
Section 2.3, 2nd paragraph). All current ESP specs (all encryption
algorithms, UDP encapsulation, etc.) meet the 8-octet alignment
requirement -- but adding a new four-octet header there obviously
breaks it.
 
Some minor clarifications/editorial nits:

- The text currently uses "using ESP-NULL [RFC2410]" and "unencrypted"
as synonyms. This was accurate before RFC4543, but is not any more.
This needs some clarifying text somewhere (perhaps Section 1).

- Section 1 needs a sentence or two motivating the existence of the
"E" bit -- currently it comes as a surprise to the reader later.

- Section 2/2.1: In Figures 1, 2, and 3, the bit numbers should be 
shifted one character to the right.

- Section 2: In some parts of the text, the last 8 bits of the WESP
header are called "Flags"; in other parts, the last 5 bits are called
"Flags". I'd suggest changing e.g. Figure 2 so that last 5 bits are
called "Rsvd" or something.

- Section 2: "The bits are defined LSB first, so bit 0 would be the
least significant bit of the flags octet." This doesn't match the bit
numbering in Figure 2 (where bit 0 is the most significant bit).
However, the bit numbers are not really used anywhere, so I would just
suggest deleting this sentence.

- Section 2: It would be helpful if the text explicitly said that
HdrLen values less than 12 are invalid (and probably HdrLen values
that are not multiple of 4 are invalid, and multiple of 8 for IPv6
case).

- Section 2: the text about TrailerLen is a bit unclearly written --
the offset from the end of the packet to the last byte of the payload
would be a negative number. I'd suggest phrasing this something like
the "The number of bytes following the payload data in the packet, in
octets: i.e. the total length of TFC Padding (normally not present for
unencrypted packets), ESP Trailer (Padding, Pad Length, Next Header),
and ESP ICV."

- Section 2: "the packet must be dropped" -> "the packet MUST be dropped"

- The figures in 2.2.1 and 2.2.2 are very confusing, since they
suggest WESP could be applied as a separate step after ESP processing
(that was possible in some earlier versions of the draft, but not any
more since ICV covers the WESP header). Since they don't really
present much new compared to the figures in RFC 4303 Section
3.1.1/3.1.2, perhaps they could be omitted? Or if we want to keep
them, they probably should show the packet before applying ESP?

- Section 3: s/IPSec/IPsec/

- Section 4: this section is missing the allocation of SPI value 2 
to indicate WESP from the "SPI Values" registry.

- Section 4 should say that for the WESP Version Number, the
unassigned values are 1, 2, and 3.

- Section 6: [RFC4306], [RFC3948], and [RFC5226] should be normative
references, not informative.

Best regards,
Pasi