[secdir] secdir review of draft-ietf-lwig-minimal-esp-03
David Mandelberg <david@mandelberg.org> Sat, 27 March 2021 21:38 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5CE3A158B for <secdir@ietfa.amsl.com>; Sat, 27 Mar 2021 14:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mandelberg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cI-feRN7Fhk for <secdir@ietfa.amsl.com>; Sat, 27 Mar 2021 14:38:51 -0700 (PDT)
Received: from mail-pl1-x664.google.com (mail-pl1-x664.google.com [IPv6:2607:f8b0:4864:20::664]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B92A3A1589 for <secdir@ietf.org>; Sat, 27 Mar 2021 14:38:51 -0700 (PDT)
Received: by mail-pl1-x664.google.com with SMTP id l1so2585678plg.12 for <secdir@ietf.org>; Sat, 27 Mar 2021 14:38:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:to:from:subject:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=DoTQVmOb1rJCZvvA/sC5aphYcVIV1Ube14FEahjzcIo=; b=PaBDzUN6dStJpi+5theNV+HxPBIw0nAlQMJAlKOJ+rj8H0bNPsyyCxDDOvHNUPF03e Z0zZiV96ie9q89Uqx8dbLDmW/67SP7lQUeOdk0BnCNMOSVQil5F+DPU+SoNR29lARag1 dTOXxDuWmt0BsE76ay1s5UKAO4WWQ4ktGpdDECQp6p02ha8uGCFwEX+U6+flGePaXQey MZX1/AgicBzBtKRkGLVXLlMeIwnQJ6TnI5MFib/oJQWEx3mTxsgm62DNF8qAF4Ud+jBO JSTQM1RuOd40g5Oujcshix5u5IfzMIKO4+U+JVcXbiXMgtiKbGY7y/Uqo2qlqxSY0CKV vH2w==
X-Gm-Message-State: AOAM533j/tJ0W3vkMdlrC4oCcQvDxM6T/kGSzyHdBvwLWUAFOMqEXyM3 VVh28EBehT0IuZm7eobOT39pCnonuUO66m10BOmhj9fkI4i22g==
X-Google-Smtp-Source: ABdhPJzWlmwI7pn/Scxi5I61GzWx8TVW45j0k/dAg1PkmlbTr8Vg1TztQokHAbRBohzpPgFXpwK9hrWr6iFI
X-Received: by 2002:a17:902:968d:b029:e6:faf5:8d0f with SMTP id n13-20020a170902968db02900e6faf58d0fmr20834097plp.71.1616881129198; Sat, 27 Mar 2021 14:38:49 -0700 (PDT)
Received: from uriel.mandelberg.org (pool-74-104-157-60.bstnma.fios.verizon.net. [74.104.157.60]) by smtp-relay.gmail.com with ESMTPS id k89sm4494519pjc.16.2021.03.27.14.38.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 27 Mar 2021 14:38:49 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
Received: from [10.0.2.211] (sakaar.virgo.mandelberg.org [10.0.2.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 617821C6034; Sat, 27 Mar 2021 17:38:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; s=202103; t=1616881127; bh=kYwcgN4FpEUKP4wu9WuJ03j7My/ulpv05+BmfkHWjd4=; h=To:From:Subject:Date:From; b=kAgAj/vwG0dKYAM4gUeQp9WeP2MPOHAGiTC35O/EwEQWeFlv4U0vTKkLAA87Urs01 7M4oV+xJ9py55+1yhuKdYLJ7+JgDR65vAlu+flFV+jEqUtp8XAoe6oZICEQejBqGNk 7BP9xlaWXs/eNZcBq4tZAbKQE7X78Jmq6dKv18LKVRS/UioSmeePOrgSDhAb97ol1F a66jmk96O5EUuWmeZPhchePAiRNSAbnMGjasw1Dz173xmNtP+ej0wWrUdEhNrVr7pt Tj4mJviXW5Ka7JxKk1R0GzUNisx2XeXuTDdFxQZxog9Fp87+as75TKHeAKWNsQL+7V bC5zXIupRElpw==
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-lwig-minimal-esp.all@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <91f5ebd2-b24f-ca04-eba0-60d0c9b6f401@mandelberg.org>
Date: Sat, 27 Mar 2021 17:38:45 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/M6QhEkrfXztmvCaUxzY3I0_Gv2o>
Subject: [secdir] secdir review of draft-ietf-lwig-minimal-esp-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2021 21:38:57 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. (Section 3, nit) In the paragraph that includes "However, nonrandom SPI and restricting their possible values MAY lead to privacy and security concerns" , it would be nice to add something like "(see below for more details)". When I first read that paragraph, I was about to comment that it's unclear what the privacy/security concerns are, but then it was explained a few paragraphs below. (Section 4) Am I understanding correctly, that the last paragraph is giving the option of resetting the Sequence Number when rekeying? Does IPSec try to prevent eavesdroppers from determining when rekeying happens? (I really don't know that much about IPSec.) If it does, then resetting the SN could leak that information, if not then there's nothing to leak.
- [secdir] secdir review of draft-ietf-lwig-minimal… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-lwig-min… Daniel Migault
- Re: [secdir] secdir review of draft-ietf-lwig-min… David Mandelberg