[secdir] Secdir last call review of draft-ietf-detnet-ip-05
Tero Kivinen via Datatracker <noreply@ietf.org> Fri, 13 March 2020 01:15 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D44B63A0C7D; Thu, 12 Mar 2020 18:15:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Tero Kivinen via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-detnet-ip.all@ietf.org, last-call@ietf.org, detnet@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.120.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158406212471.18347.14473548719649982992@ietfa.amsl.com>
Reply-To: Tero Kivinen <kivinen@iki.fi>
Date: Thu, 12 Mar 2020 18:15:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/PwXfz0acxTs5B-HRhietET_ZSek>
Subject: [secdir] Secdir last call review of draft-ietf-detnet-ip-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2020 01:15:25 -0000
Reviewer: Tero Kivinen Review result: Has Nits In section 1 there is text saying: The DetNet Architecture models the DetNet related data plane functions as two sub-layers: functions into two sub-layers: a service sub-layer and a forwarding sub-layer. I think the second one of the "functions as/into two sub-layers" instance should be removed. In section 5.1.2.2 it says that SPI field of the ESP and AH is used, but in case the IPsec is configured to use UDP encapsulation (rfc3948, i.e., UDP destination port is 4500) there is different location for the SPI. Should this document also dig SPI out from the UDP encapsulated ESP/AH? There is also wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP header before the normal ESP header. Should this be included also? In section 6, I would think it would be useful to have wildcard SPI matching too, i.e., match all ESP/AH traffic between two hosts regardless of SPI. Note, that standard procedure to support QoS in IPsec is to create multiple SAs between hosts with identical addresses, but different SPI, and where each flow has traffic related to one QoS level inside, but there might not be any way for external user to know which SPI match to which QoS level). So there is definitely need to have exact match SPI, but problem is that DetNet might not have any visibility which SPI match witch QoS level.
- [secdir] Secdir last call review of draft-ietf-de… Tero Kivinen via Datatracker
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Tero Kivinen
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Last-Call] [Detnet] Secdir last cal… Roman Danyliw