Last Call Review of draft-ietf-storm-ipsec-ips-update-03
review-ietf-storm-ipsec-ips-update-03-secdir-lc-yu-2013-08-22-00

Request Review of draft-ietf-storm-ipsec-ips-update
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-08-19
Requested 2013-08-08
Draft last updated 2013-08-22
Completed reviews Genart Last Call review of -03 by Francis Dupont (diff)
Genart Telechat review of -03 by Francis Dupont (diff)
Secdir Last Call review of -03 by Taylor Yu (diff)
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-storm-ipsec-ips-update-03-secdir-lc-yu-2013-08-22
Reviewed rev. 03 (document currently at 04)
Review result Has Nits
Review completed: 2013-08-22

Review
review-ietf-storm-ipsec-ips-update-03-secdir-lc-yu-2013-08-22

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I believe this document is ready with minor issues.

The Security Considerations section in its entirety is

    "This entire document is about security."

Although the above statement is true, I think it would also be
beneficial to provide additional information in the Security
Considerations to help implementers and administrators make informed
risk assessments.  This could include describing the consequences of
failing to adopt the recommendations of this document.  I have
outlined below some possible risk tradeoffs to consider describing in
the document.

AES in GCM mode is vulnerable to catastrophic forgery attacks if a
nonce is ever repeated with a given key.  Hopefully this won't be a
practical issue, but implementation bugs involving random number
generators are not uncommon.  Forgery in a content protection context
is probably also less of a concern than forgery in an authentication
context.

What concerns with AES-CTR motivate its demotion?  I do seem to recall
that (contrary to best practice) confidentiality can be done
separately from integrity in IPsec.  Is this composition done in a way
that has vulnerabilities?  I'm not very familiar with IPsec and am not
remembering the details at the moment.

If there is sufficiently low traffic, is it likely that a site
constrained by legacy or resource issues could use 3DES (with its
64-bit block size) at an acceptable risk level?  (possibly with
frequent rekeying)  Ciphertext collision isn't as catastrophic with
CBC mode ciphers as nonce collision is for AES-GCM.  McGrew's paper
about collision attacks includes equations that estimate data leakage.

It could be useful to include advice about matching symmetric key
lengths with public key strengths.  See NIST SP 800-57 Part 1.

What are the consequences of sequence number cycling in ESP?