IETF Logo Mail Archive

Re: [IPsec] IPsec maintenance/extensions WG, summary so far

"Peng Yang" <peng.yang.chn@gmail.com> Mon, 26 May 2008 06:41 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F9983A6A37; Sun, 25 May 2008 23:41:46 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3537B3A6A37 for <ipsec@core3.amsl.com>; Sun, 25 May 2008 23:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C+FP8IhiYSip for <ipsec@core3.amsl.com>; Sun, 25 May 2008 23:41:44 -0700 (PDT)
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.169]) by core3.amsl.com (Postfix) with ESMTP id 12C4D3A6964 for <ipsec@ietf.org>; Sun, 25 May 2008 23:41:44 -0700 (PDT)
Received: by wf-out-1314.google.com with SMTP id 27so1664208wfd.31 for <ipsec@ietf.org>; Sun, 25 May 2008 23:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=o8gzQ0L18j9y4Ws38aIAkSAR+SQ/uvwx31reH/HHV2I=; b=Z6q5LuC/VDpDreYqISzp8fiTQJrXBP3IfKzMEcq9pr/hE/a9d+hBOQx6O5RGGedR5j09Nfgim2AB0jG/pxif5lmVDnZJhLPkGLX0LG7lqe075PNK4LKpECNV858CcYTyqEORP9BYofeLINEJoUPkmGm3gk6reeTsB6X/q8EmTfY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=wmnn/YCCIym2JaIRF5TAUE8h1g8NNnRTJIfCa0niDoMNl5+cJuet26g+XugU89+z4Ap6ZwCH0b47/3BaJsaXFIYAzN4CCKCK9h+lFmywGsRgzmyiK93gBiZWi5BqwgVLRjYxcIYInqrRcHIELlRNhHZq7WRJ1uF7X9N/UkAlN7c=
Received: by 10.142.154.20 with SMTP id b20mr1848569wfe.150.1211784103825; Sun, 25 May 2008 23:41:43 -0700 (PDT)
Received: by 10.142.211.11 with HTTP; Sun, 25 May 2008 23:41:43 -0700 (PDT)
Message-ID: <4c5c7a6d0805252341r84994d3tf66505ee9ee1fdf9@mail.gmail.com>
Date: Mon, 26 May 2008 14:41:43 +0800
From: Peng Yang <peng.yang.chn@gmail.com>
To: ipsec@ietf.org, Pasi.Eronen@nokia.com
MIME-Version: 1.0
Content-Disposition: inline
Subject: Re: [IPsec] IPsec maintenance/extensions WG, summary so far
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Hi, Pasi and all:

Sorry for late post.

[ECR] IKEv2 session resumption / optimizing IKEv2 handshake when
         connecting again to same peer/cluster of peers (possible
         starting point: draft-sheffer-ipsec-failover)
[ECR] MEXT: interaction between IPsec and Mobile IP, Mobile IP
          specific extensions to IPsec
[ECR] Using GRE "key" header field as IPsec traffic selector (possible
          starting point: draft-ma-softwire-ipsec-gre-demultiplexing-ps)

Thanks a lot
Cheers,

Peny

My interest list has following items.
>
> [CR] o  Update to IKEv2 base specification (possible starting point:
>   draft-hoffman-ikev2bis)
>
> [ECR] o  Redirecting a VPN client from one gateway to another
>   (in a cluster of gateways)
>
> [CR] o  Better IPv6 configuration payloads (possible starting point:
>   draft-eronen-ipsec-ikev2-ipv6-config)

Thanks.

Sincerely,
fan


>>So far, we've had ~20 people who've expressed some form of support
>>for creating a WG. This is good -- many current WGs have less than 20
>>people who regularly post to the WG mailing list.

>>However, by my count, we've also had ~20 proposals for work items.
>>That obviously does not add up.

>>I agree with Paul's comment about the WG scope: the WG should work
>>on things where having a WG is really needed, and we actually have a
>>*group* of people interested on participating.

>>Having a WG should not encourage people to develop extensions that
>>would not have happened in the absence of a WG (this usually indicates
>>they're not widely needed). For some work items that have been
>>proposed, an individual draft is IMHO a more appropriate process
>>mechanism, and forming a WG would not automatically prevent
>>publication of non-WG documents the WG decided not to take.

>>To get some idea on what work items we have most interest in, I've
>>collected those proposed so far (with some things vendors are known to
>>do in proprietary ways thrown in).

Please select the items you think the WG should work on (less than
ten, please), order them most important first, and for each item,
indicate what you're willing to do:

  [E]dit: you're willing to edit the draft corresponding to the work
  item (note: even if we use an individual draft as a starting point,
  this does not automatically determine the editor of the WG item)

  [C]ontribute: you're willing to propose non-trivial amounts of
  text for the document during its development

  [R]eview: you're willing to review new revisions of the draft
  regularly (not just during WGLC)

For example,

  [CR] AEAD algorithms in IKEv2
  [R] IPsec document roadmap update

would mean that AEAD algorithms is your first priority, and you
volunteer to contribute and review; and IPsec document roadmap is
your second priority, and you volunteer to review.

You can also propose a work item that isn't on my list.
However, for the time being, I think PF_KEY work does not fit
within the scope of the possible WG charter.

List follows:

o  Update to IKEv2 base specification (possible starting point:
   draft-hoffman-ikev2bis)

o  IPsec document roadmap update (possible starting point: RFC 2411)

o  Using AEAD algorithms in IKEv2 (possible starting point:
   draft-black-ipsec-ikev2-aead-modes)

o  Redirecting a VPN client from one gateway to another
   (in a cluster of gateways)

o  IPsec "secure beacon", or detecting whether you need VPN or
   not (possible starting point: draft-sheffer-ipsec-secure-beacon)

o  Detecting crashed peers faster (possible starting point:
   draft-nir-ike-qcd)

o  IKEv2 session resumption / optimizing IKEv2 handshake when
   connecting again to same peer/cluster of peers (possible
   starting point: draft-sheffer-ipsec-failover)

o  Authentication-only IPsec that simplifies packet inspection
   (possible starting points: draft-hoffman-esp-null-protocol,
   draft-grewal-ipsec-traffic-visibility)

o  Better IPv6 configuration payloads (possible starting point:
   draft-eronen-ipsec-ikev2-ipv6-config)

o  Other work for making sure IKEv1 and IKEv2 work as well as
   possible with IPv6, both from standards and operations standpoint
   (please specify more details if you select this one)

o  Running IPsec over TCP (so your VPN works even if the coffee
   shop Wi-Fi has stupid packet filtering)

o  GSS-API (or Kerberos) authentication for IKEv2

o  Non-EAP-based one-time password authentication (possible
   starting point: draft-sunabhi-otp-ikev2)

o  Using GRE "key" header field as IPsec traffic selector (possible
   starting point: draft-ma-softwire-ipsec-gre-demultiplexing-ps)

o  Authentication with Cryptographically Generated Addresses (CGA)
   (possible starting point: draft-laganier-ike-ipv6-cga)

o  Guidelines for Mandating the Use of IPsec, for RFC430x IPsec
   (possible starting point: draft-bellovin-useipsec)

o  Labeled IPsec for RFC 430x IPsec

o  IKEv1/IKEv2 co-existence and transition (please specify more
   details if you select this one)

o  Setting up GRE tunnels with IKE (possible starting point:
   draft-wu-l3vpn-ipsec-gre-00)

o  Connecting IKEv2 peers behind NATs via a "mediation server"
   (possible starting point: draft-brunner-ikev2-mediation)

o  Anything that may be needed from IKE/IPsec with respect to
   routing protocol security (please specify more details if
   you select this one)

o  Documenting differences in IPsec usage in IETF vs. 3GPP vs.
   3GPP2 vs. WiMAX vs. vendors etc. (please specify more details
   if you select this one)

o  IKEv2 CAPTCHA
   (possible starting point: draft-mutaf-spikev2-01.txt)

Please reply (on the mailing list) within a week or so -- I will
then summarize what we have.

Best regards,
Pasi

---

P.S. It's good to note that we currently have several other WGs
working on IPsec:

o  BMWG: benchmarking IPsec devices

o  BTNS: unauthenticated or leap-of-faith IPsec, channel bindings,
   IPsec APIs for applications (not key management daemons like
   PF_KEY)

o  MEXT: interaction between IPsec and Mobile IP, Mobile IP
   specific extensions to IPsec

o  MSEC: multicast IPsec

o  ROHC: header compression in IPsec tunnel mode SAs

o  SOFTWIRE: IPsec tunnels as a softwire, setting those up
   based on BGP etc.

These WGs will continue as-is, and e.g. any changes to their charters
are not in the scope of this discussion. Future work items could be
considered case-by-case, but the intent is *not* to collect all
IPsec-related work to one WG.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email