I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any
other last call comments.

This draft specifies a aggregation and fragmentation mechanism when using Encapsulating Security Payload (ESP) for IP packets, in which the primary purpose of the specification is to provide Traffic Flow Confidentiality (TFC) for said packets.

The security considerations section does exist and describes that this specification adds security through TFC.  The section goes on to state that the underlying security of this mechanism, IP Traffic Flow Security (IP-TFS), is also applicable (through RFC 4303 (ESP) and RFC 7296 (IKEv2)).  In addition, the proposed mechanism supports Explicit Congestion Notification (ECN), which may be used as a covert channel because it is not protected by IPsec.  Ergo, this specification states that ECN SHOULD NOT be enabled by default.  The section concludes in that TFC should not change network congestion in a predictable way, but if it does then a non-congestion control mode should be used instead.  I agree with the accuracy and scope of the aforementioned assertions.

General comments:

Well written, just a couple of nits.

Editorial comments:

s/and it use/and its use/
s/apply to IP-TFS/apply to IP-TFC/

Shawn.
--