Re: [IPsec] Moving forwards on session resumption

We have received an appeal from Hui Deng and Peny Yang.  Upon consideration, we have decided not to take any further action. We hope Hui and Peny are satisifed with our explanation, which we provided off-list.

We're encouraged by the frank and open exchange of ideas -- which is critical for making good progress on the chartered work items -- and hope to see lively discussion in the future as well.

Best regards,
Pasi & Tim

________________________________

	From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of ext Hui Deng
	Sent: 07 November, 2008 18:12
	To: Paul Hoffman
	Cc: IPsecme WG
	Subject: Re: [IPsec] Moving forwards on session resumption

	Dear Chairs and all

	As the co-author of the draft-xu, I would like to question this decision.

	1) I carefully read the reason of this decision below, found no any technical or concensus summary other than chairs own chosen.

	2) Chair here say that authors of the draft-xu is not seeking for the concensus,
	I can show offline disucssion email if needed, authors of the draft-xu express clearly several times that they are expecting the concensus.

	3) Regarding to the restrictions in the charter, I feel confused why chair call the discussion. 
	http://www.ietf.org/mail-archive/web/ipsec/current/msg03232.html, it seems useless,no any technical summary for this discussion.
	For the wasting of time, I didn't see any deployment urgency for that technology, on the contrary, draft-xu is interested in by a scale operator. I guess that IETF always choose the more concensused and better solution.

	4) authors of draft-xu would like to appeal this decision to the end, please wg chair and IESG chair sincerely consider this decision. we need sometime to prepare the appeal to IESG chair.

	5) One remindness, please draft-tschofenig refer to other draft if it is using idea from it.

	Many thanks

	-Hui

	2008/11/7 Paul Hoffman <paul.hoffman@vpnc.org>

		<co-chair hat on>

		Greetings again. As you know, we have an item in our charter to have an extension to handle session resumption. The charter says:

		=======================================
		- A standards-track extension that allows an IPsec remote access client
		to "resume" a session with a gateway; that is, to skip certain parts of
		IKE negotiation when connecting again to the same gateway (or possibly a
		cluster of closely cooperating gateways). The idea is similar to TLS
		session resumption without server-side state, specified in RFC 5077.

		The main goals for this extension are to avoid public-key computations
		(to reduce VPN gateway load when a large number of clients reconnect to
		the gateway within a short period of time, such as following a network
		outage), and remove the need for user interaction for authentication
		(which may be required by some authentication mechanisms). The extension
		shall not have negative impact on IKEv2 security features.

		Failover from one gateway to another, mechanisms for detecting when a
		session should be resumed, and specifying communication mechanisms
		between gateways are beyond the scope of this work item. Specifying the
		detailed contents of the "session ticket" is also beyond the scope of
		this document; if there is sufficient interest, this could be specified
		later in a separate document.

		To the degree its content falls within the scope of this work item, text
		and ideas from draft-sheffer-ipsec-failover will be used as a starting
		point.
		=======================================

		There were two proposals for this work, draft-tschofenig-ipsecme-ikev2-resumption and draft-xu-ike-sa-sync. The have both gone through revisions and been discussed on the mailing list.

		The charter is quite clear that the Working Group is supposed to produce one extension, not two. Because of that, I have had to pick the one that would be best for the Working Group to work on. Based on the discussion on the list and a careful reading of the latest version of the two drafts, and comparing the two drafts to the charter requirement above, I have chosen draft-tschofenig-ipsecme-ikev2-resumption as the starting point for the Working Group. (My co-chair recused himself from the decision because he is co-author on one of the candidate documents.)

		In discussing this decision offline with the co-authors of draft-xu-ike-sa-sync, they have expressed a desire to have the Working Group decide between the two documents. I explained that it is, in fact, the job of the chair to pick documents and authors; the Working Group's task is to make the work items be as good as possible. I based my decision on the completeness of the two proposed solutions and how well each proposal matched the charter. In the end, the two proposed solutions would be technically quite similar when draft-xu-ike-sa-sync was more complete and removed the extraneous material.

		Further, the co-authors of draft-xu-ike-sa-sync have repeatedly said that they do not like the restrictions in the charter; my response to them is the same as it is to the WG, namely that re-opening the charter discussion at this point is waste of time and is not an option.

		Given that, I request that the co-authors of draft-tschofenig-ipsecme-ikev2-resumption prepare to submit draft-ietf-ipsecme-ikev2-resumption-00 on Monday, Nov. 17. It should match draft-tschofenig-ipsecme-ikev2-resumption-01 exactly, other than the draft name change. The WG can start discussion the current draft-tschofenig-ipsecme-ikev2-resumption draft immediately.

		--Paul Hoffman, Director
		--VPN Consortium
		_______________________________________________
		IPsec mailing list
		IPsec@ietf.org
		https://www.ietf.org/mailman/listinfo/ipsec