NOTE: This charter is a snapshot of the 44th IETF Meeting in Minneapolis, Minnesota. It may now be out-of-date. Last Modified: 05-Mar-99
Chair(s):
Theodore Ts'o <tytso@mit.edu>
Robert Moskowitz <rgm@icsa.net>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Marcus Leech <mleech@nortel.ca>
Security Area Advisor:
Jeffrey Schiller <jis@mit.edu>
Mailing Lists:
General Discussion:ipsec@lists.tislabs.com
To Subscribe: ipsec-request@lists.tislabs.com
Archive: ftp://ftp.tis.com/pub/lists/ipsec OR ftp.ans.net/pub/archive/ipsec
Description of Working Group:
Rapid advances in communication technology have accentuated the need for security in the Internet. The IP Security Protocol Working Group (IPSEC) will develop mechanisms to protect client protocols of IP. A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality.
The protocol formats for the IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP) will be independent of the cryptographic algorithm. The preliminary goals will specifically pursue host-to-host security followed by subnet-to-subnet and host-to-subnet topologies.
Protocol and cryptographic techniques will also be developed to support the key management requirements of the network layer security. The Internet Key Management Protocol (IKMP) will be specified as an application layer protocol that is independent of the lower layer security protocol.The protocol will be based on the ISAKMP/Oakley work begun in:
draft-ietf-ipsec-isakmp-05.txt,
draft-ietf-ipsec-oakley-01.txt, and
draft-ietf-ipsec-isakmp-oakley-00.txt
A follow on work item may incorporate mechanisms based on SKIP as defined in:
draft-ietf-ipsec-skip-07.txt
and related documents.Flexibility in the protocol will allow eventual support of Key Distribution Centers (KDC), such as are used by Kerberos.
Goals and Milestones:
Done |
|
Post as an Internet-Draft the IP Security Protocol. |
Done |
|
Post as an Interenet-Draft the specification for Internet key management. |
Done |
|
Submit the Internet Key Management Protocol to the IESG for consideration as a Proposed Standard. |
Done |
|
Conduct initial interoperability testing of Encapsulating Security payload (ESP) and Authentication Header (AH). |
Done |
|
Submit revised Interent-Drafts for ESP, AH, and IP Security Architecture. |
Done |
|
Submit revised Internet-Drafts of IP Security Architecture, ESP, and AH to the IESG for consideration as Draft Standards. |
Dec 96 |
|
Submit revised Internet-Drafts of IP Security Architecture, ESP, and AH to the IESG for consideration as Draft Standards. |
Done |
|
Submit Internet-Draft of the Internet Key Management Protocol (IKMP) based on ISAKMP/Oakley to the IESG for consideration as a Proposed Standard. |
Done |
|
Submit Internet-Draft of Internet Key Management Protocol to the IESG for consideration as a Proposed Standard. |
Jul 97 |
|
Submit IKMP to IESG for consideration as a Draft Standard. |
Internet-Drafts:
· The ESP Triple DES Transform
· ESP with Cipher Block Chaining (CBC)
· The ESP DES-XEX3-CBC Transform
· The ISAKMP Configuration Method
· The Use of HMAC-RIPEMD-160-96 within ESP and AH
· A GSS-API Authentication Mode for IKE
· Dynamic configuration of IPSEC VPN host using DHCP
· Revised SA negotiation mode for ISAKMP/Oakley
· Extended Authentication Within ISAKMP/Oakley
· The Pre-Shared Key for the Internet Protocol
· A Hybrid Authentication Mode for IKE
· A DH-less encryption mode for IKE
· A Framework for Group Key Management for Multicast Security
· PKI Requirements for IP Security
· IPv4 ICMP messages and IPsec security gateways
· Options for handling ICMP messages that must be forwarded
· An LDAP Schema for Configuration and Administration of IPSec based Virtual Private Networks (VPNs)
· Secure Configuration of IPsec-Enabled Network Devices
· Security Policy Specification Language
Request For Comments:
RFC |
Status |
Title |
RFC1828 |
PS |
IP Authentication using Keyed MD5 |
RFC1829 |
PS |
The ESP DES-CBC Transform |
RFC2104 |
HMAC: Keyed-Hashing for Message Authentication | |
RFC2085 |
PS |
HMAC-MD5 IP Authentication with Replay Prevention |
RFC2401 |
PS |
Security Architecture for the Internet Protocol |
RFC2410 |
PS |
The NULL Encryption Algorithm and Its Use With IPsec |
RFC2411 |
IP Security Document Roadmap | |
RFC2402 |
PS |
IP Authentication Header |
RFC2412 |
The OAKLEY Key Determination Protocol | |
RFC2451 |
PS |
The ESP CBC-Mode Cipher Algorithms |
RFC2403 |
PS |
The Use of HMAC-MD5-96 within ESP and AH |
RFC2404 |
PS |
The Use of HMAC-SHA-1-96 within ESP and AH |
RFC2405 |
PS |
The ESP DES-CBC Cipher Algorithm With Explicit IV |
RFC2406 |
PS |
IP Encapsulating Security Payload (ESP) |
RFC2407 |
PS |
The Internet IP Security Domain of Interpretation for ISAKMP |
RFC2408 |
PS |
Internet Security Association and Key Management Protocol (ISAKMP) |
RFC2409 |
PS |
The Internet Key Exchange (IKE) |
None received.
Requirements for IPSEC Policy for the DECIDUOUS Project
IBM's Implementation IBM's Implementation of IPSEC Policy of IPSEC Policy Schema
Security Policy SystemSecurity Policy Specification Language