Last Call Review of draft-ietf-detnet-ip-05
review-ietf-detnet-ip-05-secdir-lc-kivinen-2020-03-12-00

Request Review of draft-ietf-detnet-ip
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-03-13
Requested 2020-02-28
Authors Balazs Varga, János Farkas, Lou Berger, Don Fedyk, Stewart Bryant
Draft last updated 2020-03-12
Completed reviews Rtgdir Last Call review of -04 by Stig Venaas (diff)
Tsvart Last Call review of -05 by Bob Briscoe (diff)
Genart Last Call review of -05 by Roni Even (diff)
Secdir Last Call review of -05 by Tero Kivinen (diff)
Assignment Reviewer Tero Kivinen 
State Completed
Review review-ietf-detnet-ip-05-secdir-lc-kivinen-2020-03-12
Posted at https://mailarchive.ietf.org/arch/msg/secdir/PwXfz0acxTs5B-HRhietET_ZSek
Reviewed rev. 05 (document currently at 07)
Review result Has Nits
Review completed: 2020-03-12

Review
review-ietf-detnet-ip-05-secdir-lc-kivinen-2020-03-12

In section 1 there is text saying:

   The DetNet Architecture models the DetNet related data plane
   functions as two sub-layers: functions into two sub-layers: a service
   sub-layer and a forwarding sub-layer. 

I think the second one of the "functions as/into two sub-layers" instance should be removed.

In section 5.1.2.2 it says that SPI field of the ESP and AH is used, but in case the IPsec is configured to use UDP encapsulation (rfc3948, i.e., UDP destination port is 4500) there is different location for the SPI. Should this document also dig SPI out from the UDP encapsulated ESP/AH? There is also wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP header before the normal ESP header. Should this be included also?

In section 6, I would think it would be useful to have wildcard SPI matching too, i.e., match all ESP/AH traffic between two hosts regardless of SPI. 

Note, that standard procedure to support QoS in IPsec is to create multiple SAs between hosts with identical addresses, but different SPI, and where each flow has traffic related to one QoS level inside, but there might not be any way for external user to know which SPI match to which QoS level). So there is definitely need to have exact match SPI, but problem is that DetNet might not have any visibility which SPI match witch QoS level.