[IPsec] IPsec maintenance/extensions WG, summary so far
<Pasi.Eronen@nokia.com> Wed, 07 May 2008 10:20 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 487373A70F4; Wed, 7 May 2008 03:20:41 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 867DC3A6A52 for <ipsec@core3.amsl.com>; Wed, 7 May 2008 03:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.571
X-Spam-Level:
X-Spam-Status: No, score=-6.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6OpYet24pS9 for <ipsec@core3.amsl.com>; Wed, 7 May 2008 03:20:35 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 85C4528C5DB for <ipsec@ietf.org>; Wed, 7 May 2008 03:20:13 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m47AJULk028714 for <ipsec@ietf.org>; Wed, 7 May 2008 05:20:07 -0500
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 7 May 2008 13:19:10 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 7 May 2008 13:19:10 +0300
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 07 May 2008 13:19:09 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB728D5AF2@vaebe104.NOE.Nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: IPsec maintenance/extensions WG, summary so far
Thread-index: AciwK8m/mwKUTwCXTrqgl2KHAdRjBw==
From: Pasi.Eronen@nokia.com
To: ipsec@ietf.org
X-OriginalArrivalTime: 07 May 2008 10:19:10.0363 (UTC) FILETIME=[CA4486B0:01C8B02B]
X-Nokia-AV: Clean
Subject: [IPsec] IPsec maintenance/extensions WG, summary so far
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
So far, we've had ~20 people who've expressed some form of support for creating a WG. This is good -- many current WGs have less than 20 people who regularly post to the WG mailing list. However, by my count, we've also had ~20 proposals for work items. That obviously does not add up. I agree with Paul's comment about the WG scope: the WG should work on things where having a WG is really needed, and we actually have a *group* of people interested on participating. Having a WG should not encourage people to develop extensions that would not have happened in the absence of a WG (this usually indicates they're not widely needed). For some work items that have been proposed, an individual draft is IMHO a more appropriate process mechanism, and forming a WG would not automatically prevent publication of non-WG documents the WG decided not to take. To get some idea on what work items we have most interest in, I've collected those proposed so far (with some things vendors are known to do in proprietary ways thrown in). Please select the items you think the WG should work on (less than ten, please), order them most important first, and for each item, indicate what you're willing to do: [E]dit: you're willing to edit the draft corresponding to the work item (note: even if we use an individual draft as a starting point, this does not automatically determine the editor of the WG item) [C]ontribute: you're willing to propose non-trivial amounts of text for the document during its development [R]eview: you're willing to review new revisions of the draft regularly (not just during WGLC) For example, [CR] AEAD algorithms in IKEv2 [R] IPsec document roadmap update would mean that AEAD algorithms is your first priority, and you volunteer to contribute and review; and IPsec document roadmap is your second priority, and you volunteer to review. You can also propose a work item that isn't on my list. However, for the time being, I think PF_KEY work does not fit within the scope of the possible WG charter. List follows: o Update to IKEv2 base specification (possible starting point: draft-hoffman-ikev2bis) o IPsec document roadmap update (possible starting point: RFC 2411) o Using AEAD algorithms in IKEv2 (possible starting point: draft-black-ipsec-ikev2-aead-modes) o Redirecting a VPN client from one gateway to another (in a cluster of gateways) o IPsec "secure beacon", or detecting whether you need VPN or not (possible starting point: draft-sheffer-ipsec-secure-beacon) o Detecting crashed peers faster (possible starting point: draft-nir-ike-qcd) o IKEv2 session resumption / optimizing IKEv2 handshake when connecting again to same peer/cluster of peers (possible starting point: draft-sheffer-ipsec-failover) o Authentication-only IPsec that simplifies packet inspection (possible starting points: draft-hoffman-esp-null-protocol, draft-grewal-ipsec-traffic-visibility) o Better IPv6 configuration payloads (possible starting point: draft-eronen-ipsec-ikev2-ipv6-config) o Other work for making sure IKEv1 and IKEv2 work as well as possible with IPv6, both from standards and operations standpoint (please specify more details if you select this one) o Running IPsec over TCP (so your VPN works even if the coffee shop Wi-Fi has stupid packet filtering) o GSS-API (or Kerberos) authentication for IKEv2 o Non-EAP-based one-time password authentication (possible starting point: draft-sunabhi-otp-ikev2) o Using GRE "key" header field as IPsec traffic selector (possible starting point: draft-ma-softwire-ipsec-gre-demultiplexing-ps) o Authentication with Cryptographically Generated Addresses (CGA) (possible starting point: draft-laganier-ike-ipv6-cga) o Guidelines for Mandating the Use of IPsec, for RFC430x IPsec (possible starting point: draft-bellovin-useipsec) o Labeled IPsec for RFC 430x IPsec o IKEv1/IKEv2 co-existence and transition (please specify more details if you select this one) o Setting up GRE tunnels with IKE (possible starting point: draft-wu-l3vpn-ipsec-gre-00) o Connecting IKEv2 peers behind NATs via a "mediation server" (possible starting point: draft-brunner-ikev2-mediation) o Anything that may be needed from IKE/IPsec with respect to routing protocol security (please specify more details if you select this one) o Documenting differences in IPsec usage in IETF vs. 3GPP vs. 3GPP2 vs. WiMAX vs. vendors etc. (please specify more details if you select this one) o IKEv2 CAPTCHA (possible starting point: draft-mutaf-spikev2-01.txt) Please reply (on the mailing list) within a week or so -- I will then summarize what we have. Best regards, Pasi --- P.S. It's good to note that we currently have several other WGs working on IPsec: o BMWG: benchmarking IPsec devices o BTNS: unauthenticated or leap-of-faith IPsec, channel bindings, IPsec APIs for applications (not key management daemons like PF_KEY) o MEXT: interaction between IPsec and Mobile IP, Mobile IP specific extensions to IPsec o MSEC: multicast IPsec o ROHC: header compression in IPsec tunnel mode SAs o SOFTWIRE: IPsec tunnels as a softwire, setting those up based on BGP etc. These WGs will continue as-is, and e.g. any changes to their charters are not in the scope of this discussion. Future work items could be considered case-by-case, but the intent is *not* to collect all IPsec-related work to one WG. --- P.P.S. Acknowledgement: if you followed how Julien Laganier and Marcelo Bagnulo handled the MEXT WG rechartering recently, you'll notice I have stolen some ideas from them :-) _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] IPsec maintenance/extensions WG, summary … Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Arnaud Ebalard
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Jari Arkko
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Dan Harkins
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Charlie Kaufman
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Vijay Devarapallli
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Vijay Devarapallli
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Nicolas Williams
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Dan McDonald
- Re: [IPsec] IPsec maintenance/extensions WG, summ… fan zhao
- Re: [IPsec] IPsec maintenance/extensions WG, summ… fan zhao
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Suresh Krishnan
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Lakshminath Dondeti
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Ana Kukec
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Hui Deng
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Andreas Steffen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Kumar, Sunil
- Re: [IPsec] IPsec maintenance/extensions WG, summ… ma yc
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Grewal, Ken
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yaron Sheffer
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Richard Barnes
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Nicolas Williams
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Cheryl Madson
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Nicolas Williams
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yingzhe Wu
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen@nokia.com
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Richard Barnes
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Yoav Nir
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Hui Deng
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Nicolas Williams
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Nicolas Williams
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Jean-Michel Combes
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Pasi.Eronen
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Joy Latten
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Julien Laganier
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Julien Laganier
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Peng Yang
- Re: [IPsec] IPsec maintenance/extensions WG, summ… Peng Yang