IETF-96 Proceedings

Introduction  |  Area, Working Goup & BoF Reports  |  Plenaries  |  Training  |  Internet Research Task Force

IP Security Maintenance and Extensions (ipsecme) (WG)

Minutes   |   Jabber Logs  |   Mailing List Archives

Additional information is available at tools.ietf.org/wg/ipsecme

Chair(s): David Waltermire Tero Kivinen Security Area Area Director(s): Stephen Farrell Kathleen Moriarty Assigned Area Director Kathleen Moriarty

Status Update (provided 2016-07-20)

The DDoS protection draft is through WGLC, and should be going forward soon. The mandatory to implement crypto algorithm drafts (rfc4307bis, rfc7321bis) got some discussion and there will be at new versions submitted before they are ready. Safecurves document is also getting ready for the WGLC, so we should have several documents going out from the WG soon.

After that we had discussion about the TCP encapsulation of the IKEv2, and then requirements for the quantum resistance in the IKEv2, both which are new work to be chartered in the WG.

We will be updating our charter to add new items (MIT algoritm updates, new algorithms, quantum resistance, TCP encapsulation, split dns, implicit IV).

Recordings:

• Video recording for 2016-07-19 14:00

Meeting Slides:

• Chair Slides
• draft-ietf-ipsecme-ddos-protection
• draft-ietf-ipsecme-rfc4307bis
• draft-mglt-ipsecme-rfc7321bis
• draft-ietf-ipsecme-safecurves
• draft-ietf-ipsecme-tcp-encaps
• IPsec Quantum Resistance
• draft-pauly-ipsecme-split-dns
• draft-mglt-ipsecme-implicit-iv
• Diet ESP

Blue Sheets:

• bluesheets-96-ipsecme-01.pdf

Internet-Drafts:

• Postquantum Preshared Keys for IKEv2 (28305 bytes)
• TCP Encapsulation of IKE and IPsec Packets (44777 bytes)
• Curve25519 and Curve448 for IKEv2 Key Agreement (14172 bytes)
• Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) (30130 bytes)
• Algorithm Implementation Requirements and Usage Guidance for IKEv2 (42747 bytes)
• Protecting Internet Key Exchange Protocol version 2 (IKEv2) Implementations from Distributed Denial of Service Attacks (74003 bytes)

Request for Comments:

• An Extension for EAP-Only Authentication in IKEv2 (RFC 5998) (33477 bytes) updates RFC5996
• Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5996) (346466 bytes) obsoleted by RFC 7296 obsoletes rfc4306 obsoletes rfc4718 updated by RFC 5998,RFC 6989,RFC 6989
• IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5739) (67691 bytes)
• Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility (RFC 5840) (34733 bytes)
• Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 5685) (35100 bytes)
• Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption (RFC 5723) (59201 bytes)
• Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) (RFC 7321) (25724 bytes) obsoletes rfc4835
• IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap (RFC 6071) (148655 bytes) obsoletes rfc2411
• Heuristics for Detecting ESP-NULL Packets (RFC 5879) (72917 bytes)
• Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol (RFC 5930) (12217 bytes)
• IPsec Cluster Problem Statement (RFC 6027) (27497 bytes)
• A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC 6290) (48891 bytes)
• Protocol Support for High Availability of IKEv2/IPsec (RFC 6311) (58672 bytes)
• Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) (RFC 7427) (39041 bytes) updates RFC7296
• Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation (RFC 7383) (47354 bytes)
• Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 7296) (354358 bytes) obsoletes rfc5996 updated by RFC 7427,RFC 7670
• Auto-Discovery VPN Problem Statement and Requirements (RFC 7018) (27284 bytes)
• Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 6989) (21099 bytes) updates RFC5996,RFC5996
• The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2) (RFC 7619) (24593 bytes) updates RFC4301
• ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec (RFC 7634) (27513 bytes)

Charter (as of 2016-09-02):

The IPsec suite of protocols includes IKEv1 (RFC 2409 and associated RFCs), IKEv2 (RFC 7296), and the IPsec security architecture (RFC 4301). IPsec is widely deployed in VPN gateways, VPN remote access clients, and as a substrate for host-to-host, host-to-network, and network-to-network security.

The IPsec Maintenance and Extensions Working Group continues the work of the earlier IPsec Working Group which was concluded in 2005. Its purpose is to maintain the IPsec standard and to facilitate discussion of clarifications, improvements, and extensions to IPsec, mostly to IKEv2. The working group also serves as a focus point for other IETF Working Groups who use IPsec in their own protocols.

The current work items include:

IKEv2 contains the cookie mechanism to protect against denial of service attacks. However this mechanism cannot protect an IKE end-point (typically, a large gateway) from "distributed denial of service", a coordinated attack by a large number of "bots". The working group will analyze the problem and propose a solution, by offering best practices and potentially by extending the protocol.

There is interest in adapting the IKE protocol for opportunistic use cases, by allowing one or both endpoints of the exchange to remain unauthenticated. The group will extend the protocol to support these use cases.

This charter will expire in December 2015 (a year from approval). If the charter is not updated before that time, the WG will be closed and any remaining documents revert back to individual Internet-Drafts.

Home - Tools Team - Datatracker - Web Site Usage Statistics - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.