Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET

To: "Frankel, Sheila E." <sheila.frankel at nist.gov>, "ipsec at ietf.org" <ipsec at ietf.org>
Subject: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
From: Yaron Sheffer <yaronf at checkpoint.com>
Date: Tue, 27 Oct 2009 18:13:48 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: Paul Hoffman <paul.hoffman at vpnc.org>, Tero Kivinen <kivinen at iki.fi>, "suresh.krishnan at ericsson.com" <suresh.krishnan at ericsson.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <D7A0423E5E193F40BE6E94126930C4930789878B75 at MBCLUSTER.xchange.nist.gov>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <063.783474ea3d34b716e39da24271b27cac at tools.ietf.org> <D7A0423E5E193F40BE6E94126930C4930789878B75 at MBCLUSTER.xchange.nist.gov>
Thread-index: AcpOwOtzy6aVQoZlRb+/3jJLY2VPMwIW7QkhAACc0RA=
Thread-topic: [ipsecme] #114: Expired drafts, especially BEET

I'm OK with this text. Typo: know => known in the last sentence.

	Yaron

> -----Original Message-----
> From: Frankel, Sheila E. [mailto:sheila.frankel at nist.gov]
> Sent: Tuesday, October 27, 2009 17:46
> To: ipsec at ietf.org
> Cc: Paul Hoffman; Yaron Sheffer; suresh.krishnan at ericsson.com; Tero
> Kivinen
> Subject: RE: [ipsecme] #114: Expired drafts, especially BEET
> 
> 
> #114: Expired drafts, especially BEET
> 
> Proposed changes to Roadmap doc:
> 
> 1) Sheila and Suresh do not advocate the addition of the BEET Internet
> Draft to this doc, so no change is required for that.
> 
> 2) Add text to the introductory section for IKEv1, Section 4.1.1:
> 
> Additional text:
> 
> IKE is the preferred key management protocol for IPsec. It is used for
> peer authentication; to negotiate, modify and delete SAs;  and to
> negotiate authenticated keying material for use within those SAs.  The
> standard peer authentication methods used by IKEv1 (pre-shared secret keys
> and digital certificates) had several shortcomings related to use of IKEv1
> to enable remote user authentication to a corporate VPN: it could not
> leverage the use of legacy authentication systems (e.g. RADIUS databases)
> to authenticate a remote user to a security gateway; and it could not be
> used to configure remote users with network addresses or other information
> needed in order to access the internal network.
> 
> Two Internet Drafts were written to address these problems: Extended
> Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth) and The ISAKMP
> Configuration Method (draft-dukes-ike-mode-cfg).  These drafts did not
> progress to RFC status due to security flaws and other problems related to
> these solutions. However, many current IKEv1 implementations incorporate
> aspects of these solutions to facilitate remote user access to corporate
> VPNs. Since these solutions were not standardized, there is no assurance
> that the implementations adhere fully to the suggested solutions, or that
> one implementation can interoperate with others that claim to incorporate
> the same features. Furthermore, these solutions have know security issues.
> Thus, use of these solutions is not recommended, and these Internet Drafts
> are not specified in this roadmap.
> ________________________________________
> From: ipsecme issue tracker [trac at tools.ietf.org]
> Sent: Friday, October 16, 2009 8:29 PM
> To: paul.hoffman at vpnc.org; Frankel, Sheila E.
> Subject: [ipsecme] #114: Expired drafts, especially BEET
> 
> #114: Expired drafts, especially BEET
> -----------------------------------+--------------------------------------
> --
>  Reporter:  paul.hoffman at ...         |       Owner:  sheila.frankel at ...
>      Type:  defect                 |      Status:  new
>  Priority:  normal                 |   Milestone:
> Component:  roadmap                |    Severity:  -
>  Keywords:                         |
> -----------------------------------+--------------------------------------
> --
>  Sheila would like to see ESP BEET mode referenced, since it's more widely
>  implemented than other docs that are mentioned. However, it is not on
>  track to becoming an RFC.
> 
>  Also, there are some who want to mention other very widely implemented
>  (expired) drafts which will never come out as RFCs, namely IKEv1
>  configuration mode (draft-dukes-ike-mode-cfg-02) and IKEv1 xauth (draft-
>  beaulieu-ike-xauth-02).
> 
>  RESPONSE: We will mention the expired drafts in the IKEv1 section of the
>  roadmap doc, explaining that many implementations implement these 2
> drafts
>  to enable road warrior (user) authentication. The wording will include
>  cautions about their use: security issues,
> implementation/interoperability
>  problems, etc.
> 
>  Wording is needed.
> 
> --
> Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/114>
> ipsecme <http://tools.ietf.org/ipsecme/>
> 
> 
> Scanned by Check Point Total Security Gateway.

References:
- Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
  - From: Frankel, Sheila E.

Prev by Date: Re: [IPsec] [ipsecme] #112: Truncation of SHA-1 ICVs
Next by Date: Re: [IPsec] [ipsecme] #112: Truncation of SHA-1 ICVs
Previous by thread: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
Next by thread: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
Index(es):
- Date
- Thread

Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.