IP Security Maintenance and Extensions

Document Proposed charter IP Security Maintenance and Extensions WG (ipsecme)
Title IP Security Maintenance and Extensions
Last updated 2018-03-28
State Informal IESG review Rechartering
WG State Active
IESG Responsible AD Eric Rescorla
Charter Edit AD Kathleen Moriarty
Telechat date (None)
Send notices to ipsecme-chairs@tools.ietf.org


A growing number of use cases for constrained network - but not
limited to - have shown interest in reducing ESP (resp. IKEv2)
overhead by compressing ESP (resp IKEv2) fields. The WG will define
extensions of ESP and IKEv2 to enable ESP header compression.

draft-mglt-ipsecme-diet-esp and
draft-mglt-ipsecme-ikev2-diet-esp-extension are expected to be good
starting points for ESP compression.
draft-smyslov-ipsecme-ikev2-compression and
draft-smyslov-ipsecme-ikev2-compact are good starting point for IKEv2

RFC7427 allows peers to indicate hash algorithms they support, thus
eliminating ambiguity in selecting a hash function for digital
signature authentication. However, advances in cryptography lead to a
situation when some signature algorithms have several signature
formats. A prominent example is RSASSA-PKCS#1 and RSASSA-PSS, however
it is envisioned that the same situation may repeat in future with
other signature algorithms. Currently IKE peers have no explicit way
to indicate each other which signature format(s) the support, that

leads to ineroperability problems. The WG will investigate the
situation and come up with a solution that allows peers to deal with
the problem in an interoperable way.

RFC7296 defines a generic notification code that is related to a
failure to handle an internal address failure. That code does not
explicitly allow an initiator to determine why a given address family
is not assigned, nor whether it should try using another address
family. The Working Group will specify a set of more specific
notification codes that will provide sufficient information to the
IKEv2 initiator about the encountered failure.
draft-boucadair-ipsecme-ipv6-ipv4-codes could be used as a starting
point for this item.

Some systems support security labels (aka security context) as one of
the selectors of the SPD. This label needs to be part of the IKE
negotiation for the IPsec SA. non-standard implementations exist for
IKEv1 (formerly abusing IPSEC Security Association Attribute 10, now
using private space IPSEC Security Association Attribute 32001). The
work is to standarize this for IKEv2, in a way that will be backwards
compatible with old implementations, meaning it must not require any
changes to implementations not supporting this.

This charter will expire in December 2019. If the charter is not
updated before that time, the WG will be closed and any remaining
documents revert back to individual Internet-Drafts.

Proposed milestones

No milestones for charter found.