datatracker.ietf.org
Sign in
Version 5.6.4.p1, 2014-10-20
Report a bug

IP Security Maintenance and Extensions (ipsecme)

Group
Name: IP Security Maintenance and Extensions
Acronym:ipsecme
Area:Security Area (sec)
State: Active
Charter: charter-ietf-ipsecme-09 (Approved)
Personnel
Chairs: Paul Hoffman <paul.hoffman@vpnc.org>
Yaron Sheffer <yaronf.ietf@gmail.com>
Area Director: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Mailing List
Address:ipsec@ietf.org
To Subscribe:https://www.ietf.org/mailman/listinfo/ipsec
Archive:http://www.ietf.org/mail-archive/web/ipsec/
Jabber Chat
Room Address: xmpp:ipsecme@jabber.ietf.org
Logs: http://jabber.ietf.org/logs/ipsecme/

Charter for Working Group

The IPsec suite of protocols includes IKEv1 (RFC 2409
and associated RFCs), IKEv2 (RFC 5996), and the IPsec
security architecture (RFC 4301). IPsec is widely
deployed in VPN gateways, VPN remote access clients,
and as a substrate for host-to-host, host-to-network,
and network-to-network security.

The IPsec Maintenance and Extensions Working Group
continues the work of the earlier IPsec Working Group
which was concluded in 2005. Its purpose is to maintain
the IPsec standard and to facilitate discussion of
clarifications, improvements, and extensions to IPsec,
mostly to IKEv2. The working group also serves as a
focus point for other IETF Working Groups who use IPsec
in their own protocols.

The current work items include:

In an environment with many IPsec gateways and remote
clients that share an established trust infrastructure
(in a single administrative domain or across multiple
domains), customers want to get on-demand point-to-point
IPsec capability for efficiency. However, this cannot be
feasibly accomplished only with today's IPsec and IKE due
to problems with address lookup, reachability, policy
configuration, and so on.

The IPsecME Working Group will handle this large scale
VPN problem by:

* Creating a problem statement document including use
cases, definitions and proper requirements for discovery
and updates. This document would be solution-agnostic.

* Publishing a common solution for the discovery and
update problems that will satisfy the requirements
in the problem statement document. The working group
may standardize one of the vendor solutions, a combination,
an superset of such a solution, or a new protocol.

* Reviewing and helping publish Informational documents
describing current vendor proprietary solutions.

Recently discovered incorrect behavior of ISPs poses a
challenge to IKE, whose UDP messages (especially #3 and #4)
sometimes get fragmented at the IP level and then dropped
by these ISPs. There is interest in solving this issue by
allowing transport of IKE over TCP; this is currently
implemented by some vendors. The group will standardize such
a solution, using draft-nir-ipsecme-ike-tcp as a starting point.

The WG will review and possibly revise the list of mandatory-to-
implement algorithms for ESP and AH based on five years of experience
with newer algorithms and cryptographic modes. This work will be based
on draft-mcgrew-ipsec-me-esp-ah-reqts.

The WG will update the way IKEv2 uses public keys that are
trusted out-of-band (that is, not through a common PKIX trust
anchor). This work will be based on
draft-kivinen-ipsecme-oob-pubkey.

The WG will revise the IKEv2 specification with a small number
of mandatory tests required for the secure operation of IKEv2
when using elliptic curve cryptography. This work will be based
on draft-sheffer-ipsecme-dh-checks.

This charter will expire in January 2015 (24 months from approval).
If the charter is not updated before that time, the WG will be
closed and any remaining documents revert back to individual
Internet-Drafts.

Milestones

Done
WG last call on IPv6 configuration payloads
Done
WG last call on IPsec roadmap
Done
WG last call on session resumption
Done
WG last call on redirect
Done
WG last call on IKEv2bis
Done
WG last call on ESP NULL traffic visibility
Done
WG last call on HA requirements
Done
WG last call on quick crash discovery
Done
WG last call on EAP-only authentication
Jun 2013
IETF Last Call on large scale VPN use cases and requirements
Dec 2013
IETF last call on IKE fragmentation solution
Feb 2014
IETF last call on new mandatory-to-implement algorithms
Jun 2014
IETF Last Call on large scale VPN protocol