[Ipsec] draft-ietf-ipsec-ikev2-15.txt
"Charlie Kaufman" <charliek@microsoft.com> Sun, 15 August 2004 05:47 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA20930 for <ipsec-archive@lists.ietf.org>; Sun, 15 Aug 2004 01:47:37 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BwDpG-0006pE-FT; Sun, 15 Aug 2004 01:45:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BwDlc-0006QW-QT for ipsec@megatron.ietf.org; Sun, 15 Aug 2004 01:41:16 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA20713 for <ipsec@ietf.org>; Sun, 15 Aug 2004 01:41:15 -0400 (EDT)
Received: from mail1.microsoft.com ([131.107.3.125]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1BwDr5-0000vl-Gn for ipsec@ietf.org; Sun, 15 Aug 2004 01:46:59 -0400
Received: from mailout2.microsoft.com ([157.54.1.120]) by mail1.microsoft.com with Microsoft SMTPSVC(6.0.3790.196); Sat, 14 Aug 2004 22:43:51 -0700
Received: from RED-MSG-51.redmond.corp.microsoft.com ([157.54.12.11]) by mailout2.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Sat, 14 Aug 2004 22:40:01 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 14 Aug 2004 22:39:49 -0700
Message-ID: <F5F4EC6358916448A81370AF56F211A5038F3E50@RED-MSG-51.redmond.corp.microsoft.com>
Thread-Topic: draft-ietf-ipsec-ikev2-15.txt
Thread-Index: AcSCikfWAI/YqacsTtKLsAkECPPYlA==
From: Charlie Kaufman <charliek@microsoft.com>
To: ipsec@ietf.org
X-OriginalArrivalTime: 15 Aug 2004 05:40:01.0853 (UTC) FILETIME=[4F2AF6D0:01C4828A]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Content-Transfer-Encoding: quoted-printable
Subject: [Ipsec] draft-ietf-ipsec-ikev2-15.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: quoted-printable
I submitted revision -15 of the IKEv2 spec to the Internet Drafts editor (copying Paul Hoffman in hopes he will make it available more quickly). It addresses all of the outstanding issues in the issues tracker. Below is the list of changes. Some changes were based on hallway discussions at IETF, and should be ratified as appropriate on this list. If they are, this might (finally!) be the version that becomes an RFC. The change most likely to be controversial is that the "Hash and URL" encoding of certificates is made mandatory to support in an implementation (though not mandatory to configure). This was to address a large number of concerns about use of IP fragmentation for what might turn out to be large packets when certificates are included. IP fragmentation opens implementations up to denial of service attacks, and they are blocked by some firewalls. The only other "bits on the wire" change was in how IPv6 addresses are assigned when a mobile endpoint tunnels into a firewall. The new mechanism allows the mobile endpoint to request a specific set of low order bytes. (Technically, it's not a change; just a 'clarification' of how the request for an address should be interpreted). --Charlie 1) ISSUE #111, 113: Made support for "Hash and URL" as a substitute for certificates mandatory, and added explanatory text about the dangers of depending on IP fragmentation for large messages. 2) ISSUE #110: Made support for configuring shared keys by means of a HEX encoded byte string mandatory. 3) Clarified use of special traffic selectors with a port range from 65535 - 0. 4) ISSUE #110: Added reference to RFC2401bis for definitions of terms. 5) ISSUE #110, 114: Made required support of ID_IPV4_ADDR and ID_IPV6_ADDR depend on support of IPv4 vs. IPv6 as a transport. 6) ISSUE #114: Removed INTERNAL_IP6_NETMASK and replaced it with text describing how an endpoint should request an IP address with specified low order bytes. 7) ISSUE #101, 102, 104, 105, 106, and 107: Fold in information from draft-ietf-ipsec-ikev2-iana-00.txt to make that document unnecessary for initial IANA settings. Deleted it from references. 8) ISSUE #110: Removed reference to ENCR_RC4. 9) ISSUE #112: Removed reference to draft-keromytis-ike-id-00.txt, which will not be published as an RFC. 10) ISSUE #112: Removed text incorrectly implying that AH could be tunneled over port 4500. 11) ISSUE #112: Removed reference to draft-ietf-ipsec-nat- reqts-04.txt. 12) ISSUE #112: Removed reference to draft-ipsec-ike-hash- revised-02.txt, and substituted a short explanation of the problem addressed. 13) ISSUE #112: Changed the label of PRF_AES_CBC to PRF_AES128_CBC 14) ISSUE #110: Clarified distinction between Informational messages and Informational exchanges. 15) ISSUE #110: Clarified distinction between SA payloads and SAs. 16) ISSUE #109: Clarified that cryptographic algorithms that MUST be supported can still be configured as off. 17) ISSUE #110: Changed example IP addresses from 10.*.*.* to 192.0.*.*. 18) ISSUE #108: Rephrased to avoid use of the undefined acronyms PFS and NAT-T. 19) ISSUE #113: Added requirement that backoff timers on retransmissions must increase exponentially to avoid network congestion. 20) Replaced dubious explanation of NON_FIRST_FRAGMENTS_ALSO with a reference to RFC2401bis. 21) Fixed 16 spelling/typographical/gramatical errors. _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] draft-ietf-ipsec-ikev2-15.txt Charlie Kaufman