[secdir] sec-dir review of draft-ietf-rohc-ipsec-extensions-hcoipsec-05

Derek Atkins <derek@ihtfp.com> Sat, 19 September 2009 23:07 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 08E373A67DD; Sat, 19 Sep 2009 16:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pq7mr472WaMl; Sat, 19 Sep 2009 16:06:59 -0700 (PDT)
Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) by core3.amsl.com (Postfix) with ESMTP id CA0DC3A6993; Sat, 19 Sep 2009 16:06:59 -0700 (PDT)
Received: from pgpdev.ihtfp.org (unknown [69.7.239.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id F37A18B4005; Sat, 19 Sep 2009 19:07:52 -0400 (EDT)
Received: (from warlord@localhost) by pgpdev.ihtfp.org (8.14.3/8.14.2/Submit) id n8JN7mZ6029939; Sat, 19 Sep 2009 19:07:48 -0400
To: iesg@ietf.org, secdir@ietf.org
From: Derek Atkins <derek@ihtfp.com>
Date: Sat, 19 Sep 2009 19:07:47 -0400
Message-ID: <sjmy6oaleik.fsf@pgpdev.ihtfp.org>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: rohc-chairs@tools.ietf.org, christou_chris@bah.com, cabo@tzi.org, ertekin_emre@bah.com
Subject: [secdir] sec-dir review of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2009 23:07:01 -0000

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

   Integrating Robust Header Compression (ROHC) with IPsec
   (ROHCoIPsec) offers the combined benefits of IP security services
   and efficient bandwidth utilization.  However, in order to
   integrate ROHC with IPsec, extensions to the SPD and SAD are
   required.  This document describes the IPsec extensions required to
   support ROHCoIPsec.

While not a security issue, I believe that you should include the
expansion of ROHC in the Abstract.

I believe the security considerations section adequately provide
guidance for the pitfalls of poor algorithm choice and known traffic
analysis attacks.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant