Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
draft-ietf-ipsecme-aes-ctr-ikev2-07

[Ballot discuss]
As I read the document, this fills a hole created by RFC 4307: implementations SHOULD support
AES-CTR for IKEv2, but no specification exists.  The document does not really provide any
justification for why other than the fact that 4307 includes this SHOULD.  After some discussion,
it appears that revising 4307 is a non-starter for a variety of reasons, but no one has identified
a compelling reason to use AES-CTR with IKEv2.

There is also no compelling reason to publish this specification on the standards track.  This is a
case where making this Informational so that it constitutes a downref for standards track
publications would be appropriate.  I strongly believe we should publish this document as an
Informational RFC.

[Ballot discuss]
I don't understand how this document "updates" RFC 4307.
4307 provides a list of algorithms and classifies them as MUST, SHOULD+,
SHOULD, etc.
4307 lists AES-CTR as SHOULD.
AFAICS, this document does not change the status of AES-CTR.

[Ballot comment]
I am still considering whether to make this a comment or a discuss-discuss.  However, I thought I should make my concerns known now regardless.

As I read the document, this fills a hole created by RFC 4307: implementations SHOULD support AES-CTR for IKEv2, but no specification exists.  The document does not really provide any justification for why other than the fact that 4307 includes this SHOULD.  Russ Housley's comment points out that this is not a particularly good fit.  If satisfying 4307 is the *only* reason to specify this mode for IKEv2 perhaps we should just update 4307 to remove the SHOULD.

Can anyone give me a compelling reason to use AES-CTR with IKEv2?

[Ballot comment]
I cannot see the justification for using AES-CTR to protect IKEv2
  traffic.  There is a strong justification for AES-CTR in ESP where
  there are high data rates.  The data rates for IKEv2 traffic ought
  to be quite small, so the performance improvement is not really
  needed.  Also, the use of counter mode requires care to ensure that
  the same counter value is never used more than once under the same
  key.

[Ballot discuss]
This is a fine document, but I have one almost trivial comment:

  [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, January 2004.

Use of this reference looks Normative to me.

IANA comments:

Upon approval of this document, IANA will make the following change in
the "Transform Type 1 - Encryption Algorithm Transform IDs" registry at
http://www.iana.org/assignments/ikev2-parameters

OLD:

Number Name ESP Reference IKEv2 Reference
------ ------------- ------------- ---------------
13 ENCR_AES_CTR [RFC3686]

NEW:

Number Name ESP Reference IKEv2 Reference
------ ------------- ------------- ---------------
13 ENCR_AES_CTR [RFC3686][RFC-ipsecme-aes-ctr-ikev2-07]

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

The document shepherd is Paul Hoffman, co-chair of the ipsecme WG. I have
reviewed it and believe it is ready for publication.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

The document has had a fair amount of review within the ipsecme WG,
including by at least one active developer. I do not have any
concerns about these reviews.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

I have no such concerns. The document lies fully within the ipsecme
WG's area of expertise.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

I have no such concerns. There have been no IPR disclosures.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

The WG consensus was mostly from silence, but there were enough
people who read the document and no disagreement.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

Yes, I have personally verified that. No formal review criteria are
applicable.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

There are three normative references to non-RFCs: two to
NIST documents, and one to the IKEv2 IANA registry. All are
appropriate.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC5226]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

The documents requires no IANA actions; it re-states the current
value for the algorithm.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

There are no such sections.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

This document describes how to use the AES-CTR mode with an explicit
initialization value to protect IKEv2 messages after keys are
established.

Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?

Nothing worth noting: it got a small but adequate amount of
review.

Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?

There are already a bunch of implementations based on developers
guessing how to do this; to the best of our knowledge, those
implementations match what is described in this document.