[saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
Thomas Narten <narten@us.ibm.com> Wed, 25 August 2010 13:21 UTC
Return-Path: <narten@us.ibm.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 572813A697A for <saag@core3.amsl.com>; Wed, 25 Aug 2010 06:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.272
X-Spam-Level:
X-Spam-Status: No, score=-106.272 tagged_above=-999 required=5 tests=[AWL=0.327, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxIa46GaRMsx for <saag@core3.amsl.com>; Wed, 25 Aug 2010 06:21:06 -0700 (PDT)
Received: from e6.ny.us.ibm.com (e6.ny.us.ibm.com [32.97.182.146]) by core3.amsl.com (Postfix) with ESMTP id 0FFDF3A6AED for <saag@ietf.org>; Wed, 25 Aug 2010 06:21:05 -0700 (PDT)
Received: from d01relay07.pok.ibm.com (d01relay07.pok.ibm.com [9.56.227.147]) by e6.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id o7PDLJva024684 for <saag@ietf.org>; Wed, 25 Aug 2010 09:21:19 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o7PDL9qW123066 for <saag@ietf.org>; Wed, 25 Aug 2010 09:21:09 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id o7PDL8Jp007552 for <saag@ietf.org>; Wed, 25 Aug 2010 09:21:08 -0400
Received: from cichlid.raleigh.ibm.com (sig-9-65-249-38.mts.ibm.com [9.65.249.38]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id o7PDKwAo006756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <saag@ietf.org>; Wed, 25 Aug 2010 09:20:59 -0400
Received: from cichlid.raleigh.ibm.com (cichlid.raleigh.ibm.com [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.4/8.12.5) with ESMTP id o7PDKvI3030865 for <saag@ietf.org>; Wed, 25 Aug 2010 09:20:58 -0400
Message-Id: <201008251320.o7PDKvI3030865@cichlid.raleigh.ibm.com>
To: saag@ietf.org
Date: Wed, 25 Aug 2010 09:20:57 -0400
From: Thomas Narten <narten@us.ibm.com>
Subject: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 13:21:07 -0000
To recap, I presented on the issue of updating the IPsec/IKEv2 text at the 6man meeting in Maastricht, as well as at the SAAG meeting. My sense of both of those discussions is that there is support for changing the general recommendation to a SHOULD. I got some good feedback in SAAG about the wording (refer to the security architecture generally rather than IKEv2, etc.). New proposed text below. This text would go into draft-ietf-ipv6-node-requirements, which updates RFC 4294. Comments? Thomas 10. Security This section describes the specification for security for IPv6 nodes. Achieving security in practice is a complex undertaking. Operational procedures, protocols, key distribution mechanisms, certificate management approaches, etc. are all components that impact the level of security actually achieved in practice. More importantly, deficiencies or a poor fit in any one individual component can significantly reduce the overall effectiveness of a particular security approach. IPsec provides channel security at the Internet layer, making it possible to provide secure communication for all (or a subset of) communication flows at the IP layer between pairs of internet nodes. IPsec provides sufficient flexibility and granularity that individual TCP connections can (selectively) be protected, etc. Although IPsec can be used with manual keying in some cases, such usage has limited applicability and is not recommended. A range of security technologies and approaches proliferate today (e.g., IPsec, TLS, SSH, etc.) No one approach has emerged as an ideal technology for all needs and environments. Moreover, IPsec is not viewed as the ideal security technology in all cases and is unlikely to displace the others. Previously, IPv6 mandated implementation of IPsec and recommended the key management approach of IKE. This document updates that recommendation by making support of the IP Security Architecture [RFC 4301] a SHOULD for all IPv6 nodes. Note that the IPsec Architecture requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both manual and automatic key management. Currently the default automated key management protocol to implement is IKEv2. This document recognizes that there exists a range of device types and environments where other approaches to security than IPsec can be justified. For example, special-purpose devices may support only a very limited number or type of applications and an application- specific security approach may be sufficient for limited management or configuration capabilities. Alternatively, some devices my run on extremely constrained hardware (e.g., sensors) where the full IP Security Architecture is not justified. 10.1. Requirements "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be supported by all IPv6 nodes. Note that the IPsec Architecture requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both manual and automatic key management. Currently the default automated key management protocol to implement is IKEv2. 10.2. Transforms and Algorithms The current set of mandatory-to-implement algorithms for the IP Security Architcture are defined in 'Cryptographic Algorithm Implementation Requirements For ESP and AH' [RFC4835]. IPv6 nodes implementing the IP Security Architecture MUST conform to the requirements in [RFC4835]. Preferred cryptographic algorithms often change more frequently than security protocols. Therefore implementations MUST allow for migration into new algorithms, as RFC4835 is replaced or updated in the future.
- [saag] IPv6 Node Requirements: Updated IPsec/IKEv… Thomas Narten
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Paul Hoffman
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Michael Richardson
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Michael Richardson
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Nicolas Williams
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] [IPsec] IPv6 Node Requirements: Update… Thomas Narten