Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
Yaron Sheffer <yaronf@checkpoint.com> Tue, 27 October 2009 16:19 UTC
Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 784303A6917 for <ipsec@core3.amsl.com>; Tue, 27 Oct 2009 09:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.799
X-Spam-Level:
X-Spam-Status: No, score=-3.799 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDOes1+r+JIV for <ipsec@core3.amsl.com>; Tue, 27 Oct 2009 09:19:45 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 112573A6990 for <ipsec@ietf.org>; Tue, 27 Oct 2009 09:19:24 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n9RGA5i4003993; Tue, 27 Oct 2009 18:19:36 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 27 Oct 2009 18:13:49 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: "Frankel, Sheila E." <sheila.frankel@nist.gov>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Tue, 27 Oct 2009 18:13:48 +0200
Thread-Topic: [ipsecme] #114: Expired drafts, especially BEET
Thread-Index: AcpOwOtzy6aVQoZlRb+/3jJLY2VPMwIW7QkhAACc0RA=
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213B2C@il-ex01.ad.checkpoint.com>
References: <063.783474ea3d34b716e39da24271b27cac@tools.ietf.org> <D7A0423E5E193F40BE6E94126930C4930789878B75@MBCLUSTER.xchange.nist.gov>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930789878B75@MBCLUSTER.xchange.nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, Tero Kivinen <kivinen@iki.fi>, "suresh.krishnan@ericsson.com" <suresh.krishnan@ericsson.com>
Subject: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2009 16:19:46 -0000
I'm OK with this text. Typo: know => known in the last sentence. Yaron > -----Original Message----- > From: Frankel, Sheila E. [mailto:sheila.frankel@nist.gov] > Sent: Tuesday, October 27, 2009 17:46 > To: ipsec@ietf.org > Cc: Paul Hoffman; Yaron Sheffer; suresh.krishnan@ericsson.com; Tero > Kivinen > Subject: RE: [ipsecme] #114: Expired drafts, especially BEET > > > #114: Expired drafts, especially BEET > > Proposed changes to Roadmap doc: > > 1) Sheila and Suresh do not advocate the addition of the BEET Internet > Draft to this doc, so no change is required for that. > > 2) Add text to the introductory section for IKEv1, Section 4.1.1: > > Additional text: > > IKE is the preferred key management protocol for IPsec. It is used for > peer authentication; to negotiate, modify and delete SAs; and to > negotiate authenticated keying material for use within those SAs. The > standard peer authentication methods used by IKEv1 (pre-shared secret keys > and digital certificates) had several shortcomings related to use of IKEv1 > to enable remote user authentication to a corporate VPN: it could not > leverage the use of legacy authentication systems (e.g. RADIUS databases) > to authenticate a remote user to a security gateway; and it could not be > used to configure remote users with network addresses or other information > needed in order to access the internal network. > > Two Internet Drafts were written to address these problems: Extended > Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth) and The ISAKMP > Configuration Method (draft-dukes-ike-mode-cfg). These drafts did not > progress to RFC status due to security flaws and other problems related to > these solutions. However, many current IKEv1 implementations incorporate > aspects of these solutions to facilitate remote user access to corporate > VPNs. Since these solutions were not standardized, there is no assurance > that the implementations adhere fully to the suggested solutions, or that > one implementation can interoperate with others that claim to incorporate > the same features. Furthermore, these solutions have know security issues. > Thus, use of these solutions is not recommended, and these Internet Drafts > are not specified in this roadmap. > ________________________________________ > From: ipsecme issue tracker [trac@tools.ietf.org] > Sent: Friday, October 16, 2009 8:29 PM > To: paul.hoffman@vpnc.org; Frankel, Sheila E. > Subject: [ipsecme] #114: Expired drafts, especially BEET > > #114: Expired drafts, especially BEET > -----------------------------------+-------------------------------------- > -- > Reporter: paul.hoffman@... | Owner: sheila.frankel@... > Type: defect | Status: new > Priority: normal | Milestone: > Component: roadmap | Severity: - > Keywords: | > -----------------------------------+-------------------------------------- > -- > Sheila would like to see ESP BEET mode referenced, since it's more widely > implemented than other docs that are mentioned. However, it is not on > track to becoming an RFC. > > Also, there are some who want to mention other very widely implemented > (expired) drafts which will never come out as RFCs, namely IKEv1 > configuration mode (draft-dukes-ike-mode-cfg-02) and IKEv1 xauth (draft- > beaulieu-ike-xauth-02). > > RESPONSE: We will mention the expired drafts in the IKEv1 section of the > roadmap doc, explaining that many implementations implement these 2 > drafts > to enable road warrior (user) authentication. The wording will include > cautions about their use: security issues, > implementation/interoperability > problems, etc. > > Wording is needed. > > -- > Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/114> > ipsecme <http://tools.ietf.org/ipsecme/> > > > Scanned by Check Point Total Security Gateway.
- Re: [IPsec] [ipsecme] #114: Expired drafts, espec… Frankel, Sheila E.
- Re: [IPsec] [ipsecme] #114: Expired drafts, espec… Yaron Sheffer
- Re: [IPsec] [ipsecme] #114: Expired drafts, espec… Paul Hoffman
- Re: [IPsec] [ipsecme] #114: Expired drafts, espec… Tero Kivinen