Implicit Initialization Vector (IV) for Counter-Based Ciphers in Encapsulating Security Payload (ESP)
RFC 8750

Received changes through RFC Editor sync (created alias RFC 8750, changed title to 'Implicit Initialization Vector (IV) for Counter-Based Ciphers in Encapsulating Security Payload (ESP)', changed abstract to 'Encapsulating Security Payload (ESP) sends an initialization vector (IV) in each packet.  The size of the IV depends on the applied transform and is usually 8 or 16 octets for the transforms defined at the time this document was written.  When used with IPsec, some algorithms, such as AES-GCM, AES-CCM, and ChaCha20-Poly1305, take the IV to generate a nonce that is used as an input parameter for encrypting and decrypting.  This IV must be unique but can be predictable.  As a result, the value provided in the ESP Sequence Number (SN) can be used instead to generate the nonce.  This avoids sending the IV itself and saves 8 octets per packet in the case of AES-GCM, AES-CCM, and ChaCha20-Poly1305.  This document describes how to do this.', changed standardization level to Proposed Standard, changed state to RFC, added RFC published event at 2020-03-11, changed IESG state to RFC Published)

[Ballot comment]
Thank you for addressing the DISCUSS and my COMMENTS.

I leave my previous comments here for log purpose

== COMMENTS ==
-- Section 5 --
C.1) "inside the SA Payload" probably worth being a little more descriptive here (for instance, "SA payload in the IKE exchange" ?).  Also suggest to use "IKE Initiator Behavior" for the section title.

-- Section 8 --
C.2) please use the usual text for IANA considerations (notably asking IANA to register as this is not this document that registers the codes).

== NITS ==

In several places, s/8 byte nonce/8-byte nonce/

[Ballot comment]
Thanks for addressing my Discuss!

A few new comments on the -08:

Abstract

If we're going to differentiate between nonce and IV, I think that
the algorithms require a unique but not necessarily unpredictable *nonce*,
rather than *IV*.

Section 2

nit: s/Initialize/Initialization/

nit: s/similar mechanism/similar mechanisms/ plural

Section 7

My previous ballot was trying to note that the sender/receiver counters
MUST be reset (as noted here) even without this document, as part of
the core ESP requirements.  So we don't need to use the "MUST" here as
if it's a new requirement; we can just say that this behavior is already
present due to the preexisting requirements

[Ballot comment]
Thanks for the work on this mechanism. I have no substantive comments
beyond those that have already been shared, although I do have some
minor editorial comments.

---------------------------------------------------------------------------

§2:

>  In some context, such as IoT, it may be preferable to avoid carrying

Nit: "...some contexts..."

---------------------------------------------------------------------------

§5:

>  An initiator supporting this feature SHOULD propose implicit IV
>  algorithms in the Transform Type 1 (Encryption Algorithm)
>  Substructure of the Proposal Substructure inside the SA Payload.

Please expand "SA" on first use.

---------------------------------------------------------------------------

> 7.  Security Consideration

Nit: "Considerations"

---------------------------------------------------------------------------

§7:

>  extensions ([RFC6311], [RFC7383]) do allow it to repeat, so there is
>  no an easy way to derive unique IV from IKEv2 header fields.

Nit: "...not an easy way..."

[Ballot comment]
I'll trust the Security ADs to determine the security properties of non-random IV's.

I also have a small nit:

4.  Implicit IV
  With the algorithms listed in Section 2, the 8 byte nonce MUST NOT
  repeat.

I don't see what "8 byte" adds to this sentence -- sure, bits are cheap, but I spent a while trying to figure out if there is another, non-8 byte IV that can repeat, or that some other nonces are allowed to, etc.

[Ballot comment]
** I support the DISCUSS position held by Ben Kaduk.  (Derived from Magnus Nystrom’s SECDIR review) The abstract, Section 2, Section 4 and Section 7 make references to AES-GCM, AES-CCM, AES-CTR and ChaCha20-Poly1305 (four algorithms).  However, Section 4 also states “This document solely defines the IV generation of the algorithms defined in [RFC4106] for AES-GCM, [RFC4309] for AES-CCM and [RFC7634] for ChaCha20-Poly1305” (i.e., AES-CTR is missing).  Likewise, no new code point is assigned for AES-CTR in Section 8.  If AES-CTR is not in scope, then please don’t mention it in the draft.  If it was missed from Section 4 and 8, please add it.

** Section 7. I’m having difficulty reconciling these two sentences:

(1)  Nonce generation for these algorithms has not been explicitly defined.”

(2) This document provides an explicit and normative way to generate IVs.

Isn’t this text saying the Nonce = Sequence number = IV?

** Section 7.  Editorial. s/the IV is not allowed being repeated for one particular key./the IV is not allowed to be repeated for a particular key./

** Section 7.  Editorial.  s/The Message-ID field in IKEv2 header is somewhat counterpart of SN field in ESP header, but recent …/The Message-ID field in IKEv2 header is similar to the SN field in ESP header.  However recent …/

[Ballot comment]
Section 2

nit: s/In some context/In some contexts/

  This document limits its scope to the algorithms mentioned above.
  Other algorithms with similar properties may later be defined to use
  this extension.

I'd suggest rewording this part; the "extension" here is just the
per-algorithm codepoint for the IIV variant of the encryption transform,
so what would be reused is probably better described as a "mechanism" or
similar than an "extension".

Section 4.

  With the algorithms listed in Section 2, the 8 byte nonce MUST NOT
  repeat.  The binding between a ESP packet and its nonce is provided

I suggest s/MUST NOT repeat/MUST NOT repeat for a given key/.
nit: s/a ESP/an ESP/

Section 4

  This document solely defines the IV generation of the algorithms
  defined in [RFC4106] for AES-GCM, [RFC4309] for AES-CCM and [RFC7634]
  for ChaCha20-Poly1305.  Any other aspect (including using the Key
  Length attribute) of applying those ciphers with the new Transform
  Types defined in this document MUST be taken from the documents
  defining the use of the algorithms in ESP.

I suggest s/defines/modifies/; the whole paragraph is slightly confusing
to read and could perhaps be reworded to something like "This document
solely modifies the IV generation for the algorithms defined in
[RFC4106] for AES-GCM, [RFC4309] for AES-CCM and [RFC7634] for
ChaCha20-Poly1305.  All other aspects and parameters of those algorithms
are unchanged, and are used as defined in their respective
specifications."

Section 7

nit: the title should be "Security Considerations" plural.

I suggest to reiterate the RFC 4303 requirement for SAs to be closed or
rekeyed before sequence numbers grow too large to fit in 32 bits (for
"legacy" Sequence Number) or 64 bits for ESN.  This prevents sequence
number overlaps for the mundane point-to-point case.

  This document defines three new encryption transforms that use
  implicit IV.  Unlike most encryption transforms defined to date,
  which can be used for both ESP and IKEv2, these transforms are
  defined for ESP only and cannot be used in IKEv2.  The reason is that
  IKEv2 messages don't contain unique per-message value, that can be
  used for IV generation.  The Message-ID field in IKEv2 header is

nit: s/unique/a unique/
nit: s/value,/value/

[Ballot discuss]
Thank you for the work put into this document. I am trusting the security AD to check whether it is safe not to have a 'random' IV. I have one trivial-to-fix DISCUSS and a couple of COMMENTs.

It is also unclear at first sight whether the 'nonce' built from the sequence number is actually the IIV.

Regards,

-éric

== DISCUSS ==

-- Section 1 --
D.1) Please use the RFC 8174 template ;)

[Ballot comment]
== COMMENTS ==
-- Section 5 --
C.1) "inside the SA Payload" probably worth being a little more descriptive here (for instance, "SA payload in the IKE exchange" ?).  Also suggest to use "IKE Initiator Behavior" for the section title.

-- Section 8 --
C.2) please use the usual text for IANA considerations (notably asking IANA to register as this is not this document that registers the codes).

== NITS ==

In several places, s/8 byte nonce/8-byte nonce/

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-ipsecme-implicit-iv-07. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete.

In the Transform Type 1 - Encryption Algorithm Transform IDs subregistry of the IKEv2 Transform Attribute Types registry on the Internet Key Exchange Version 2 (IKEv2) Parameters registry page located at:

https://www.iana.org/assignments/ikev2-parameters/

the following existing registrations will have their references changed to [ RFC-to-be ]:

Number: 29
Name: ENCR_AES_CCM_8_IIV
ESP Reference: [ RFC-to-be ]
IKEv2 Reference: Not Allowed

Number: 30
Name: ENCR_AES_GCM_16_IIV
ESP Reference: [ RFC-to-be ]
IKEv2 Reference: Not Allowed

Number: 31
Name: ENCR_CHACHA20_POLY1305_IIV
ESP Reference: [ RFC-to-be ]
IKEv2 Reference: Not Allowed

The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2019-10-07):

From: The IESG
To: IETF-Announce
CC: ipsecme-chairs@ietf.org, draft-ietf-ipsecme-implicit-iv@ietf.org, Tero Kivinen , kivinen@iki.fi, ipsec@ietf.org, alexey.melnikov@isode.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Implicit IV for Counter-based Ciphers in Encapsulating Security Payload (ESP)) to Proposed Standard


The IESG has received a request from the IP Security Maintenance and
Extensions WG (ipsecme) to consider the following document: - 'Implicit IV
for Counter-based Ciphers in Encapsulating Security
  Payload (ESP)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-10-07. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  Encapsulating Security Payload (ESP) sends an initialization vector
  (IV) or nonce in each packet.  The size of IV depends on the applied
  transform, being usually 8 or 16 octets for the transforms defined by
  the time this document is written.  Some algorithms such as AES-GCM,
  AES-CCM, AES-CTR and ChaCha20-Poly1305 require a unique nonce but do
  not require an unpredictable nonce.  When using such algorithms the
  packet counter value can be used to generate a nonce.  This avoids
  sending the nonce itself, and saves in the case of AES-GCM, AES-CCM,
  AES-CTR and ChaCha20-Poly1305 8 octets per packet.  This document
  describes how to do this.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

The intended status is Proposed Standard. The document defines a protocol and for interoperability
the Internet Standard status is appropriated.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  Relevant content can frequently be found in the abstract
  and/or introduction of the document. If not, this may be
  an indication that there are deficiencies in the abstract
  or introduction.

This document defines a way to omit the nonce from ESP packets when using algorithms for which the
nonce is entirely predictable and calculable from the packet counter. This reduces per-packet
overhead by 8 octets.

Working Group Summary

  Was there anything in WG process that is worth noting? For
  example, was there controversy about particular points or
  were there decisions where the consensus was particularly
  rough?

The document has been highly reviewed and discussed and presented during
meetings and through the mailing list.

The implicit iv draft was first expressed in
[draft-mglt-ipsecme-diet-esp] { 00: March 2014, 01 Jul 2014 } and
presented during the IETF89 in London on March 2014 at the ipsecme
session [1]. The discussions lead to the following draft focusing on
implicit IV within the ipsecme WG :
[draft-mglt-ipsecme-diet-esp-iv-generation ] { 00 : Jul 2014 }. We were
suggested then to move this work in 6lo with lead to the following draft
[draft-mglt-6lo-aes-implicit-iv] { 00 : Dec 2014, 01 : Feb 2015} that
have been presented in the IETF 92 ipsecme session [2]. Implicit IV as
well as diet-esp has been presented in the IETF96 in Berlin [3] in July
2016, where 6lo chairs and ipsecme chairs agree that the right place to host
this work was ipsecme. [draft-mglt-ipsecme-implicit-iv] was then release
in June 2016 and adopted as a WG document in November 2017. This draft extended the work from AES
to ChaCha20Poly1305.  The document has been presented to the ipsecme WG during the IETF89 [1],
IETF92[2], IETF96[3], IETF97[5], IETF98[6], IETF99[7].

[draft-mglt-ipsecme-diet-esp] https://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp/
[draft-mglt-ipsecme-implicit-iv] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/
[1] https://www.ietf.org/proceedings/89/slides/slides-89-ipsecme-3.pdf
[2] https://www.ietf.org/proceedings/92/slides/slides-92-ipsecme-3.pdf
[3] https://www.ietf.org/proceedings/96/slides/slides-96-6lo-9.pdf
[4] https://www.ietf.org/proceedings/96/slides/slides-96-ipsecme-0.pdf
[5] https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-draft-ietf-ipsecme-eddsa-draft-mglt-ipsecme-implicit-iv-00.pdf
[6] https://www.ietf.org/proceedings/98/slides/slides-98-ipsecme-implicit-iv-00.pdf
[7] https://datatracker.ietf.org/meeting/99/materials/slides-99-ipsecme-implicit-iv-00

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

Apple has reported to have a kernel implementation. During the DevNet
conference in Montreal, the IPsec maintainer of Linux mentioned that he
is he waiting to have this as an RFC before implementing it. This does
not necessarily means that will be its highest priority.  There are
implementations based in C/Python scripts as well as ongoing
implementations on Riot. 

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Tero Kivinen is the document shepherd and Eric Rescorla is the responsible AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document has been discussed with the WG. The current version has
already been reviewed by the AD. We believe the document is ready.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The author has confirmed that they are not aware of any undisclosed IPR associated with this document.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

There have been no IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is a WG consensus. Three different ways has been proposed to the
WG and the current consensus regarding the design and the IKEv2
negotiation.

Three ways were proposed to implement it:
* An Implicit IV Transform Transform Type.
* An Implicit IV Transform ID ( the solution considered)
* An Implicit IV Transform Attribute

Regarding the implicit IV protocol, there has been some discussions for
not using implicit iv with IKEv2 or with multicast. These scenario have
clearly been excluded in the current document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No nits found.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

The document does not need additional reviews.

(13) Have all references within this document been identified as
either normative or informative?

Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

Code points have already been allocated by IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

Code points have already been allocated by IANA.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

checks are those provided by the submission web pages: nits.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

The intended status is Proposed Standard. The document defines a protocol and for interoperability
the Internet Standard status is appropriated.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  Relevant content can frequently be found in the abstract
  and/or introduction of the document. If not, this may be
  an indication that there are deficiencies in the abstract
  or introduction.

This document defines a way to omit the nonce from ESP packets when using algorithms for which the
nonce is entirely predictable and calculable from the packet counter. This reduces per-packet
overhead by 8 octets.

Working Group Summary

  Was there anything in WG process that is worth noting? For
  example, was there controversy about particular points or
  were there decisions where the consensus was particularly
  rough?

The document has been highly reviewed and discussed and presented during
meetings and through the mailing list.

The implicit iv draft was first expressed in
[draft-mglt-ipsecme-diet-esp] { 00: March 2014, 01 Jul 2014 } and
presented during the IETF89 in London on March 2014 at the ipsecme
session [1]. The discussions lead to the following draft focusing on
implicit IV within the ipsecme WG :
[draft-mglt-ipsecme-diet-esp-iv-generation ] { 00 : Jul 2014 }. We were
suggested then to move this work in 6lo with lead to the following draft
[draft-mglt-6lo-aes-implicit-iv] { 00 : Dec 2014, 01 : Feb 2015} that
have been presented in the IETF 92 ipsecme session [2]. Implicit IV as
well as diet-esp has been presented in the IETF96 in Berlin [3] in July
2016, where 6lo chairs and ipsecme chairs agree that the right place to host
this work was ipsecme. [draft-mglt-ipsecme-implicit-iv] was then release
in June 2016 and adopted as a WG document in November 2017. This draft extended the work from AES
to ChaCha20Poly1305.  The document has been presented to the ipsecme WG during the IETF89 [1],
IETF92[2], IETF96[3], IETF97[5], IETF98[6], IETF99[7].

[draft-mglt-ipsecme-diet-esp] https://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp/
[draft-mglt-ipsecme-implicit-iv] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/
[1] https://www.ietf.org/proceedings/89/slides/slides-89-ipsecme-3.pdf
[2] https://www.ietf.org/proceedings/92/slides/slides-92-ipsecme-3.pdf
[3] https://www.ietf.org/proceedings/96/slides/slides-96-6lo-9.pdf
[4] https://www.ietf.org/proceedings/96/slides/slides-96-ipsecme-0.pdf
[5] https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-draft-ietf-ipsecme-eddsa-draft-mglt-ipsecme-implicit-iv-00.pdf
[6] https://www.ietf.org/proceedings/98/slides/slides-98-ipsecme-implicit-iv-00.pdf
[7] https://datatracker.ietf.org/meeting/99/materials/slides-99-ipsecme-implicit-iv-00

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

Apple has reported to have a kernel implementation. During the DevNet
conference in Montreal, the IPsec maintainer of Linux mentioned that he
is he waiting to have this as an RFC before implementing it. This does
not necessarily means that will be its highest priority.  There are
implementations based in C/Python scripts as well as ongoing
implementations on Riot. 

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Tero Kivinen is the document shepherd and Eric Rescorla is the responsible AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document has been discussed with the WG. The current version has
already been reviewed by the AD. We believe the document is ready.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The author has confirmed that they are not aware of any undisclosed IPR associated with this document.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

There have been no IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is a WG consensus. Three different ways has been proposed to the
WG and the current consensus regarding the design and the IKEv2
negotiation.

Three ways were proposed to implement it:
* An Implicit IV Transform Transform Type.
* An Implicit IV Transform ID ( the solution considered)
* An Implicit IV Transform Attribute

Regarding the implicit IV protocol, there has been some discussions for
not using implicit iv with IKEv2 or with multicast. These scenario have
clearly been excluded in the current document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No nits found.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

The document does not need additional reviews.

(13) Have all references within this document been identified as
either normative or informative?

Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

Code points have already been allocated by IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

Code points have already been allocated by IANA.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

checks are those provided by the submission web pages: nits.