IETF Logo Mail Archive

Re: [IPsec] IPsec maintenance/extensions WG, summary so far

"fan zhao" <fanzhao828@gmail.com> Fri, 09 May 2008 18:03 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB96D28C163; Fri, 9 May 2008 11:03:51 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22B323A6801 for <ipsec@core3.amsl.com>; Fri, 9 May 2008 10:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQsO9XT78MQP for <ipsec@core3.amsl.com>; Fri, 9 May 2008 10:44:52 -0700 (PDT)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.226]) by core3.amsl.com (Postfix) with ESMTP id 574CF3A67CE for <ipsec@ietf.org>; Fri, 9 May 2008 10:44:52 -0700 (PDT)
Received: by wx-out-0506.google.com with SMTP id i29so1475370wxd.31 for <ipsec@ietf.org>; Fri, 09 May 2008 10:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=UYj2YxcFhTtW7zHKhfL0JRA2tv6qkLUdEw59SuuRyDQ=; b=O+fHB1zqj3sQTkAdxPaaG+w5TDwdQ4yB5AJ5ae5fJCh4DNFfIKfhPVjm0juoRAYx9cjPtLiZrScD5Yq5yPkfLQ43/YmOOCR0fUi7k9lSmrBqA/JkzFyQ89Ei/4elaEbwHPjjYpmBd3hnvAR8JLT/XzXkqWN/ONmNXnhayEtRrO8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AtIKDZLeLWV3wH1O9GCuXd95lhI6CNtD8iZB9BRo3lXB2U3jRvHDacZrkmsXy6RnLDDhznd3OJ6DEqKZ7M+WpLpR4NQO5wdDKbt0cFSFKr+1+bKVweEIXehHCjsjKbF2/TDIaZXrE7uzKl84t5r/WCwfOlvH0syUw6aOT4hnh70=
Received: by 10.100.10.15 with SMTP id 15mr6125504anj.105.1210354981448; Fri, 09 May 2008 10:43:01 -0700 (PDT)
Received: by 10.100.202.10 with HTTP; Fri, 9 May 2008 10:43:01 -0700 (PDT)
Message-ID: <b6d6bbe00805091043g18f91584j9ed85e14c105ce1a@mail.gmail.com>
Date: Fri, 09 May 2008 10:43:01 -0700
From: fan zhao <fanzhao828@gmail.com>
To: Vijay Devarapallli <dvijay@gmail.com>
In-Reply-To: <f1f4dcdc0805071133u217dd270idba6ff85db0e6129@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <1696498986EFEC4D9153717DA325CB728D5AF2@vaebe104.NOE.Nokia.com> <f1f4dcdc0805071130j6419439fnb90d1dd8eaf163a3@mail.gmail.com> <f1f4dcdc0805071133u217dd270idba6ff85db0e6129@mail.gmail.com>
Cc: ipsec@ietf.org, Pasi.Eronen@nokia.com
Subject: Re: [IPsec] IPsec maintenance/extensions WG, summary so far
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Hi Vijay,

I also support this work item.

Sincerely,
fan


On Wed, May 7, 2008 at 11:33 AM, Vijay Devarapallli <dvijay@gmail.com> wrote:
> oops.. I just noticed that you did have the following in the list.
>
> o  Redirecting a VPN client from one gateway to another
>  (in a cluster of gateways)
>
> Is this the same? Or did someone else propose this?
>
> Vijay
>
> On Wed, May 7, 2008 at 11:30 AM, Vijay Devarapallli <dvijay@gmail.com> wrote:
>> Hi Pasi,
>>
>>  I have one more. Sorry for not posting this earlier.
>>
>>  There was a proposal coming out of the former MIP6 WG to use IKEv2 to
>>  re-direct a mobile node to another home agent. The Binding
>>  Update/Binding Acknowledgement exchange between the mobile node and
>>  the home agent is always preceded by an IKEv2 exchange for mutual
>>  authentication, home address configuration and setting up the required
>>  security associations for protecting Mobile IPv6 signaling messages.
>>  It was felt that it would be desirable for the home agent to tell the
>>  mobile node to go another home agent before the IKEv2 exchange
>>  completes. Otherwise the mobile node would have do the IKEv2 exchange
>>  with the new home agent all over.
>>
>>  This proposal for re-directing the mobile node to another home agent
>>  during the IKE_SA_INIT exchange was in a ex-MIP6 WG document. There
>>  were some issues raised during the IESG review for the IKEv2 re-direct
>>  mechanism. So the mechanism was taken out and the rest of the document
>>  was published as RFC 5026. One of the concerns expressed was that it
>>  could be generic extension to IKEv2 rather than being something
>>  specific to Mobile IPv6.
>>
>>  So I would like to propose to add another work item to the new IPsec
>>  WG charter to work on a IKEv2 re-direct mechanism during the
>>  IKE_SA_INIT exchange. Much of the details have already been worked out
>>  (by the ex-MIP6 WG and then some discussions offline), it is just a
>>  matter of writing up a draft. I am in the process of writing up this
>>  draft. This is coming a bit late. I hope it can be included in the
>>  IPsec re-chartering process.
>>
>>  Regards,
>>  Vijay
>>
>>
>>
>>  On Wed, May 7, 2008 at 3:19 AM,  <Pasi.Eronen@nokia.com> wrote:
>>  > So far, we've had ~20 people who've expressed some form of support
>>  >  for creating a WG. This is good -- many current WGs have less than 20
>>  >  people who regularly post to the WG mailing list.
>>  >
>>  >  However, by my count, we've also had ~20 proposals for work items.
>>  >  That obviously does not add up.
>>  >
>>  >  I agree with Paul's comment about the WG scope: the WG should work
>>  >  on things where having a WG is really needed, and we actually have a
>>  >  *group* of people interested on participating.
>>  >
>>  >  Having a WG should not encourage people to develop extensions that
>>  >  would not have happened in the absence of a WG (this usually indicates
>>  >  they're not widely needed). For some work items that have been
>>  >  proposed, an individual draft is IMHO a more appropriate process
>>  >  mechanism, and forming a WG would not automatically prevent
>>  >  publication of non-WG documents the WG decided not to take.
>>  >
>>  >  To get some idea on what work items we have most interest in, I've
>>  >  collected those proposed so far (with some things vendors are known to
>>  >  do in proprietary ways thrown in).
>>  >
>>  >  Please select the items you think the WG should work on (less than
>>  >  ten, please), order them most important first, and for each item,
>>  >  indicate what you're willing to do:
>>  >
>>  >   [E]dit: you're willing to edit the draft corresponding to the work
>>  >   item (note: even if we use an individual draft as a starting point,
>>  >   this does not automatically determine the editor of the WG item)
>>  >
>>  >   [C]ontribute: you're willing to propose non-trivial amounts of
>>  >   text for the document during its development
>>  >
>>  >   [R]eview: you're willing to review new revisions of the draft
>>  >   regularly (not just during WGLC)
>>  >
>>  >  For example,
>>  >
>>  >   [CR] AEAD algorithms in IKEv2
>>  >   [R] IPsec document roadmap update
>>  >
>>  >  would mean that AEAD algorithms is your first priority, and you
>>  >  volunteer to contribute and review; and IPsec document roadmap is
>>  >  your second priority, and you volunteer to review.
>>  >
>>  >  You can also propose a work item that isn't on my list.
>>  >  However, for the time being, I think PF_KEY work does not fit
>>  >  within the scope of the possible WG charter.
>>  >
>>  >  List follows:
>>  >
>>  >  o  Update to IKEv2 base specification (possible starting point:
>>  >    draft-hoffman-ikev2bis)
>>  >
>>  >  o  IPsec document roadmap update (possible starting point: RFC 2411)
>>  >
>>  >  o  Using AEAD algorithms in IKEv2 (possible starting point:
>>  >    draft-black-ipsec-ikev2-aead-modes)
>>  >
>>  >  o  Redirecting a VPN client from one gateway to another
>>  >    (in a cluster of gateways)
>>  >
>>  >  o  IPsec "secure beacon", or detecting whether you need VPN or
>>  >    not (possible starting point: draft-sheffer-ipsec-secure-beacon)
>>  >
>>  >  o  Detecting crashed peers faster (possible starting point:
>>  >    draft-nir-ike-qcd)
>>  >
>>  >  o  IKEv2 session resumption / optimizing IKEv2 handshake when
>>  >    connecting again to same peer/cluster of peers (possible
>>  >    starting point: draft-sheffer-ipsec-failover)
>>  >
>>  >  o  Authentication-only IPsec that simplifies packet inspection
>>  >    (possible starting points: draft-hoffman-esp-null-protocol,
>>  >    draft-grewal-ipsec-traffic-visibility)
>>  >
>>  >  o  Better IPv6 configuration payloads (possible starting point:
>>  >    draft-eronen-ipsec-ikev2-ipv6-config)
>>  >
>>  >  o  Other work for making sure IKEv1 and IKEv2 work as well as
>>  >    possible with IPv6, both from standards and operations standpoint
>>  >    (please specify more details if you select this one)
>>  >
>>  >  o  Running IPsec over TCP (so your VPN works even if the coffee
>>  >    shop Wi-Fi has stupid packet filtering)
>>  >
>>  >  o  GSS-API (or Kerberos) authentication for IKEv2
>>  >
>>  >  o  Non-EAP-based one-time password authentication (possible
>>  >    starting point: draft-sunabhi-otp-ikev2)
>>  >
>>  >  o  Using GRE "key" header field as IPsec traffic selector (possible
>>  >    starting point: draft-ma-softwire-ipsec-gre-demultiplexing-ps)
>>  >
>>  >  o  Authentication with Cryptographically Generated Addresses (CGA)
>>  >    (possible starting point: draft-laganier-ike-ipv6-cga)
>>  >
>>  >  o  Guidelines for Mandating the Use of IPsec, for RFC430x IPsec
>>  >    (possible starting point: draft-bellovin-useipsec)
>>  >
>>  >  o  Labeled IPsec for RFC 430x IPsec
>>  >
>>  >  o  IKEv1/IKEv2 co-existence and transition (please specify more
>>  >    details if you select this one)
>>  >
>>  >  o  Setting up GRE tunnels with IKE (possible starting point:
>>  >    draft-wu-l3vpn-ipsec-gre-00)
>>  >
>>  >  o  Connecting IKEv2 peers behind NATs via a "mediation server"
>>  >    (possible starting point: draft-brunner-ikev2-mediation)
>>  >
>>  >  o  Anything that may be needed from IKE/IPsec with respect to
>>  >    routing protocol security (please specify more details if
>>  >    you select this one)
>>  >
>>  >  o  Documenting differences in IPsec usage in IETF vs. 3GPP vs.
>>  >    3GPP2 vs. WiMAX vs. vendors etc. (please specify more details
>>  >    if you select this one)
>>  >
>>  >  o  IKEv2 CAPTCHA
>>  >    (possible starting point: draft-mutaf-spikev2-01.txt)
>>  >
>>  >  Please reply (on the mailing list) within a week or so -- I will
>>  >  then summarize what we have.
>>  >
>>  >  Best regards,
>>  >  Pasi
>>  >
>>  >  ---
>>  >
>>  >  P.S. It's good to note that we currently have several other WGs
>>  >  working on IPsec:
>>  >
>>  >  o  BMWG: benchmarking IPsec devices
>>  >
>>  >  o  BTNS: unauthenticated or leap-of-faith IPsec, channel bindings,
>>  >    IPsec APIs for applications (not key management daemons like
>>  >    PF_KEY)
>>  >
>>  >  o  MEXT: interaction between IPsec and Mobile IP, Mobile IP
>>  >    specific extensions to IPsec
>>  >
>>  >  o  MSEC: multicast IPsec
>>  >
>>  >  o  ROHC: header compression in IPsec tunnel mode SAs
>>  >
>>  >  o  SOFTWIRE: IPsec tunnels as a softwire, setting those up
>>  >    based on BGP etc.
>>  >
>>  >  These WGs will continue as-is, and e.g. any changes to their charters
>>  >  are not in the scope of this discussion. Future work items could be
>>  >  considered case-by-case, but the intent is *not* to collect all
>>  >  IPsec-related work to one WG.
>>  >
>>  >  ---
>>  >
>>  >  P.P.S. Acknowledgement: if you followed how Julien Laganier and
>>  >  Marcelo Bagnulo handled the MEXT WG rechartering recently, you'll
>>  >  notice I have stolen some ideas from them :-)
>>  >  _______________________________________________
>>  >  IPsec mailing list
>>  >  IPsec@ietf.org
>>  >  https://www.ietf.org/mailman/listinfo/ipsec
>>  >
>>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email