Last Call Review of draft-ietf-detnet-ip-05
review-ietf-detnet-ip-05-secdir-lc-kivinen-2020-03-12-00

In section 1 there is text saying:

   The DetNet Architecture models the DetNet related data plane
   functions as two sub-layers: functions into two sub-layers: a service
   sub-layer and a forwarding sub-layer.

I think the second one of the "functions as/into two sub-layers" instance
should be removed.

In section 5.1.2.2 it says that SPI field of the ESP and AH is used, but in
case the IPsec is configured to use UDP encapsulation (rfc3948, i.e., UDP
destination port is 4500) there is different location for the SPI. Should this
document also dig SPI out from the UDP encapsulated ESP/AH? There is also
wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP
header before the normal ESP header. Should this be included also?

In section 6, I would think it would be useful to have wildcard SPI matching
too, i.e., match all ESP/AH traffic between two hosts regardless of SPI.

Note, that standard procedure to support QoS in IPsec is to create multiple SAs
between hosts with identical addresses, but different SPI, and where each flow
has traffic related to one QoS level inside, but there might not be any way for
external user to know which SPI match to which QoS level). So there is
definitely need to have exact match SPI, but problem is that DetNet might not
have any visibility which SPI match witch QoS level.