Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET

["Frankel, Sheila E." <sheila.frankel@nist.gov>]

#114: Expired drafts, especially BEET

Proposed changes to Roadmap doc:

1) Sheila and Suresh do not advocate the addition of the BEET Internet Draft to this doc, so no change is required for that.

2) Add text to the introductory section for IKEv1, Section 4.1.1:

Additional text:

IKE is the preferred key management protocol for IPsec. It is used for peer authentication; to negotiate, modify and delete SAs;  and to negotiate authenticated keying material for use within those SAs.  The standard peer authentication methods used by IKEv1 (pre-shared secret keys and digital certificates) had several shortcomings related to use of IKEv1 to enable remote user authentication to a corporate VPN: it could not leverage the use of legacy authentication systems (e.g. RADIUS databases) to authenticate a remote user to a security gateway; and it could not be used to configure remote users with network addresses or other information needed in order to access the internal network. 

Two Internet Drafts were written to address these problems: Extended Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth) and The ISAKMP Configuration Method (draft-dukes-ike-mode-cfg).  These drafts did not progress to RFC status due to security flaws and other problems related to these solutions. However, many current IKEv1 implementations incorporate aspects of these solutions to facilitate remote user access to corporate VPNs. Since these solutions were not standardized, there is no assurance that the implementations adhere fully to the suggested solutions, or that one implementation can interoperate with others that claim to incorporate the same features. Furthermore, these solutions have know security issues. Thus, use of these solutions is not recommended, and these Internet Drafts are not specified in this roadmap.
________________________________________
From: ipsecme issue tracker [trac@tools.ietf.org]
Sent: Friday, October 16, 2009 8:29 PM
To: paul.hoffman@vpnc.org; Frankel, Sheila E.
Subject: [ipsecme] #114: Expired drafts, especially BEET

#114: Expired drafts, especially BEET
-----------------------------------+----------------------------------------
 Reporter:  paul.hoffman@…         |       Owner:  sheila.frankel@…
     Type:  defect                 |      Status:  new
 Priority:  normal                 |   Milestone:
Component:  roadmap                |    Severity:  -
 Keywords:                         |
-----------------------------------+----------------------------------------
 Sheila would like to see ESP BEET mode referenced, since it's more widely
 implemented than other docs that are mentioned. However, it is not on
 track to becoming an RFC.

 Also, there are some who want to mention other very widely implemented
 (expired) drafts which will never come out as RFCs, namely IKEv1
 configuration mode (draft-dukes-ike-mode-cfg-02) and IKEv1 xauth (draft-
 beaulieu-ike-xauth-02).

 RESPONSE: We will mention the expired drafts in the IKEv1 section of the
 roadmap doc, explaining that many implementations implement these 2 drafts
 to enable road warrior (user) authentication. The wording will include
 cautions about their use: security issues, implementation/interoperability
 problems, etc.

 Wording is needed.

--
Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/114>
ipsecme <http://tools.ietf.org/ipsecme/>