IETF Logo Mail Archive

Re: [IPsec] Proposed wording for a revised charter

Yoav Nir <ynir.ietf@gmail.com> Fri, 04 March 2016 17:35 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD7A1A1EF1 for <ipsec@ietfa.amsl.com>; Fri, 4 Mar 2016 09:35:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdIwVY9mz6Nk for <ipsec@ietfa.amsl.com>; Fri, 4 Mar 2016 09:35:37 -0800 (PST)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB7BC1A1EFE for <ipsec@ietf.org>; Fri, 4 Mar 2016 09:35:35 -0800 (PST)
Received: by mail-wm0-x236.google.com with SMTP id l68so963899wml.0 for <ipsec@ietf.org>; Fri, 04 Mar 2016 09:35:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FIB3URbjiX3YEsVXAFTlCaEknZzXNQ19Bpnj3LQdcKs=; b=odw82BLFrsA8N49xMtkWWBcMwRfaIelRPNAxhqxOI7X4x5b2mnSpc4UTEw8sI54c0+ cXLQdWepQ/BG1IL80IOXg2Tx6mqWxx76WJK0zLHraMyrXbBtN2J3Vah7bvNQVxZFihrw 9O6sLVSTOHJdb0Bj3TYOBoLmGIpIWJY9DIV5thfdj3J8G4zujh6oKz/kmcb4poAjmqo+ hLVmImoAjpzveLmMl+b2jU/CZkA2HIeE2JJBHzvfdU668b6mlTAGOYIdk7gtD7uRWnmL goRAZRwH74qooPfXB02GkgwaEixps3TqCmIEcI9HN2TmTMhlTfI3hQYkC5mLOXCXtzPR mu0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FIB3URbjiX3YEsVXAFTlCaEknZzXNQ19Bpnj3LQdcKs=; b=BSjL6DRb2ZpJOLBbNW71PCeLNaUqw7V1VHRyypwa9YKKOTEPtmNubxv+wxtJkSq5f1 71okHnt3qbyJr8d77Utucn6i9GmlUbACSTx61oHZ/8WpqtyvGaKx1YdpvzC0+WlmmplJ wzMOhGvd8KOSj/lJwTBBDsmm4awK6EyVa4DdtrOqAL2XRsU3KL0VSzcohMwgQ3JsmQYg YPV0tMWCc5B4x9KXHTBkVphfnSpbvxxEW4l1Wqta1d3lGXu0XzY2kuIiyueBAeyS2wZj 4a181RBYb4SUF4SSHrs1VZ6Kf6Q+KdSn2olfLT6rpVACuh1XCjQeH1/k0/R+kxvGOM8c ye5w==
X-Gm-Message-State: AD7BkJLbYZ2p5/5a6uqr3/IthXKlaFvhWpFB6FfUcr/GcFVz+5+RijxZHorGE4rNlugTbg==
X-Received: by 10.194.71.135 with SMTP id v7mr10267645wju.135.1457112934188; Fri, 04 Mar 2016 09:35:34 -0800 (PST)
Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id p125sm79905wmd.16.2016.03.04.09.35.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Mar 2016 09:35:33 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5281C22F-97EE-4994-829E-1121BEDE8E36@apple.com>
Date: Fri, 04 Mar 2016 19:35:31 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <D7178F74-CE36-4B84-AA14-552C517DC587@gmail.com>
References: <82BDFE1B-EF80-49EA-BD47-4D77C5E812EA@vpnc.org> <ED97373A-7510-421C-956D-56ED6D443C37@nohats.ca> <5281C22F-97EE-4994-829E-1121BEDE8E36@apple.com>
To: Tommy Pauly <tpauly@apple.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/8TVVCItdz6Cod7B5_myYYAFEpWE>
Cc: IPsecME WG <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Proposed wording for a revised charter
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2016 17:35:39 -0000

+1 

Speaking as an implementer, we have done something similar for our IKEv1 clients, and would be happy to have something standards-based for IKEv2.

I would be happy to see this work become an RFC.

Yoav

> On 4 Mar 2016, at 7:05 PM, Tommy Pauly <tpauly@apple.com> wrote:
> 
> I would also like to see the draft for TCP encapsulation added as an item, since we’ve gotten a fair amount of support for it. For the purposes of the charter, it may be good to have a broader explanation of the goal—something to the effect that the working group should focus on making sure that IKEv2 can be deployed more universally by taking into account limitations of various networks. Previous RFCs like IKE fragmentation have contributed to this; TCP encapsulation tries to solve another set of problematic networks; and we can imagine that there may be more to investigate, such as taking into account the limitations and requirements of IoT networks, etc.
> 
> Tommy
> 
>> On Mar 1, 2016, at 12:32 PM, Paul Wouters <paul@nohats.ca> wrote:
>> 
>> S/mostly// 
>> 
>> Add IKE over tcp and DNS extensions for ikev2?
>> 
>> Sent from my iPhone
>> 
>>> On Mar 1, 2016, at 11:18, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>>> 
>>> Greetings. We need to update our charter to reflect our current and expected work. Dave and I propose the following text. Please let us know within the next week if you have suggestions for changes.
>>> 
>>> --Paul Hoffman and Dave Waltermire
>>> 
>>> 
>>> The IPsec suite of protocols includes IKEv1 (RFC 2409 and associated RFCs),
>>> IKEv2 (RFC 7296), and the IPsec security architecture (RFC 4301). IPsec is
>>> widely deployed in VPN gateways, VPN remote access clients, and as a
>>> substrate for host-to-host, host-to-network, and network-to-network
>>> security.
>>> 
>>> The IPsec Maintenance and Extensions Working Group continues the work of
>>> the earlier IPsec Working Group which was concluded in 2005. Its purpose is
>>> to maintain the IPsec standard and to facilitate discussion of clarifications,
>>> improvements, and extensions to IPsec, mostly to IKEv2.
>>> The working group also serves as a focus point for other IETF Working Groups
>>> who use IPsec in their own protocols.
>>> 
>>> The current work items include:
>>> 
>>> IKEv2 contains the cookie mechanism to protect against denial of service
>>> attacks. However this mechanism cannot protect an IKE end-point (typically,
>>> a large gateway) from "distributed denial of service", a coordinated attack by
>>> a large number of "bots". The working group will analyze the problem and
>>> propose a solution, by offering best practices and potentially by extending
>>> the protocol.
>>> 
>>> IKEv2 utilizes a number of cryptographic algorithms in order to provide
>>> security services. To support interoperability a number of mandatory-to-
>>> implement (MTI) algorithms are defined in RFC4307. There is interest in
>>> updating the MTIs in
>>> RFC4307 based on new algorithms, changes to the understood security
>>> strength of existing algorithms, and the degree of adoption of previously
>>> introduced algorithms. The group will revise RFC4307 proposing updates to
>>> the MIT algorithms used by IKEv2 to address these changes.
>>> 
>>> There is interest in supporting Curve25519 and Curve448 for ephemeral key
>>> exchange in the IKEv2 protocol. The group will extend the
>>> IKEv2 protocol to support key agreement using these curves and their
>>> related functions.
>>> 
>>> This charter will expire in August 2016. If the charter is not updated before
>>> that time, the WG will be closed and any remaining documents revert back to
>>> individual Internet-Drafts.
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>> 
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email