IETF-84 Proceedings

Introduction  |  Area, Working Goup & BoF Reports  |  Plenaries  |  Training  |  Internet Research Task Force

IP Security Maintenance and Extensions (ipsecme) (WG)

Minutes   |   Audio Archives  |   Jabber Logs  |   Mailing List Archives

Additional information is available at tools.ietf.org/wg/ipsecme

Chair(s): Paul E. Hoffman Yaron Sheffer Security Area Area Director(s): Stephen Farrell Sean Turner Security Area Advisor Sean Turner

Meeting Slides:

• Agenda
• Auto Discovery VPNUse Cases and Requirements
• IKE over TCP

Blue Sheets:

• bluesheets-84-ipsecme-01.pdf

Internet-Drafts:

• Auto Discovery VPN Problem Statement and Requirements (19029 bytes)
• Auto Discovery VPN Problem Statement and Requirements (21619 bytes)
• A TCP transport for the Internet Key Exchange (17118 bytes)

Request for Comments:

• Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5685) (35100 bytes)
• IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5739) (67691 bytes)
• Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption (RFC 5723) (59201 bytes)
• Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility (RFC 5840) (34733 bytes)
• Heuristics for Detecting ESP-NULL Packets (RFC 5879) (72917 bytes)
• Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol (RFC 5930) (12217 bytes)
• An Extension for EAP-Only Authentication in IKEv2 (RFC 5998) (33477 bytes) updates RFC5996
• Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5996) (346466 bytes) obsoletes rfc4306 obsoletes rfc4718 updated by RFC 5998
• IPsec Cluster Problem Statement (RFC 6027) (27497 bytes)
• IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap (RFC 6071) (148655 bytes) obsoletes rfc2411
• A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC 6290) (48891 bytes)
• Protocol Support for High Availability of IKEv2/IPsec (RFC 6311) (58672 bytes)

Charter (as of 2012-08-21):

The IPsec suite of protocols includes IKEv1 (RFC 2409
and associated RFCs), IKEv2 (RFC 5996), and the IPsec
security architecture (RFC 4301). IPsec is widely
deployed in VPN gateways, VPN remote access clients,
and as a substrate for host-to-host, host-to-network,
and network-to-network security.

The IPsec Maintenance and Extensions Working Group
continues the work of the earlier IPsec Working Group
which was concluded in 2005. Its purpose is to maintain
the IPsec standard and to facilitate discussion of
clarifications, improvements, and extensions to IPsec,
mostly to IKEv2. The working group also serves as a
focus point for other IETF Working Groups who use IPsec
in their own protocols.

The current work items include:

In an environment with many IPsec gateways and remote
clients that share an established trust infrastructure
(in a single administrative domain or across multiple
domains), customers want to get on-demand point-to-point
IPsec capability for efficiency. However, this cannot be
feasibly accomplished only with today's IPsec and IKE due
to problems with address lookup, reachability, policy
configuration, and so on.

The IPsecME Working Group will handle this large scale
VPN problem by:

* Creating a problem statement document including use
cases, definitions and proper requirements for discovery
and updates. This document would be solution-agnostic.

* Publishing a common solution for the discovery and
update problems that will satisfy the requirements
in the problem statement document. The working group
may standardize one of the vendor solutions, a combination,
an superset of such a solution, or a new protocol.

* Reviewing and helping publish Informational documents
describing current vendor proprietary solutions.

Recently discovered incorrect behavior of ISPs poses a
challenge to IKE, whose UDP messages (especially #3 and #4)
sometimes get fragmented at the IP level and then dropped
by these ISPs. There is interest in solving this issue by
allowing transport of IKE over TCP; this is currently
implemented by some vendors. The group will standardize such
a solution, using draft-nir-ipsecme-ike-tcp as a starting point.


This charter will expire in August 2014 (24 months from approval).
If the charter is not updated before that time, the WG will be
closed and any remaining documents revert back to individual
Internet-Drafts.

Home - Tools Team - Datatracker - Web Site Usage Statistics - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.