[secdir] sec-dir review of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
Derek Atkins <derek@ihtfp.com> Sat, 19 September 2009 23:07 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 08E373A67DD; Sat, 19 Sep 2009 16:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pq7mr472WaMl; Sat, 19 Sep 2009 16:06:59 -0700 (PDT)
Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) by core3.amsl.com (Postfix) with ESMTP id CA0DC3A6993; Sat, 19 Sep 2009 16:06:59 -0700 (PDT)
Received: from pgpdev.ihtfp.org (unknown [69.7.239.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id F37A18B4005; Sat, 19 Sep 2009 19:07:52 -0400 (EDT)
Received: (from warlord@localhost) by pgpdev.ihtfp.org (8.14.3/8.14.2/Submit) id n8JN7mZ6029939; Sat, 19 Sep 2009 19:07:48 -0400
To: iesg@ietf.org, secdir@ietf.org
From: Derek Atkins <derek@ihtfp.com>
Date: Sat, 19 Sep 2009 19:07:47 -0400
Message-ID: <sjmy6oaleik.fsf@pgpdev.ihtfp.org>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: rohc-chairs@tools.ietf.org, christou_chris@bah.com, cabo@tzi.org, ertekin_emre@bah.com
Subject: [secdir] sec-dir review of draft-ietf-rohc-ipsec-extensions-hcoipsec-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2009 23:07:01 -0000
Hi,
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
Integrating Robust Header Compression (ROHC) with IPsec
(ROHCoIPsec) offers the combined benefits of IP security services
and efficient bandwidth utilization. However, in order to
integrate ROHC with IPsec, extensions to the SPD and SAD are
required. This document describes the IPsec extensions required to
support ROHCoIPsec.
While not a security issue, I believe that you should include the
expansion of ROHC in the Abstract.
I believe the security considerations section adequately provide
guidance for the pitfalls of poor algorithm choice and known traffic
analysis attacks.
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
- [secdir] sec-dir review of draft-ietf-rohc-ipsec-… Derek Atkins