datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

IP Security Maintenance and Extensions
charter-ietf-ipsecme-09

WG Review Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: ipsecme WG <ipsec@ietf.org> 
Subject: WG Review: IP Security Maintenance and Extensions (ipsecme)

The IP Security Maintenance and Extensions (ipsecme) working group in the
Security Area of the IETF is undergoing rechartering. The IESG has not
made any determination yet. The following draft charter was submitted,
and is provided for informational purposes only. Please send your
comments to the IESG mailing list (iesg at ietf.org) by 2013-01-09.

IP Security Maintenance and Extensions (ipsecme)
------------------------------------------------
Current Status: Active Working Group

Chairs:
  Paul Hoffman <paul.hoffman@vpnc.org>
  Yaron Sheffer <yaronf.ietf@gmail.com>

Assigned Area Director:
  Sean Turner <turners@ieca.com>

Mailing list
  Address: ipsec@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/ipsec
  Archive: http://www.ietf.org/mail-archive/web/ipsec/

Charter of Working Group:

 The IPsec suite of protocols includes IKEv1 (RFC 2409
 and associated RFCs), IKEv2 (RFC 5996), and the IPsec
 security architecture (RFC 4301). IPsec is widely
 deployed in VPN gateways, VPN remote access clients,
 and as a substrate for host-to-host, host-to-network,
 and network-to-network security.

 The IPsec Maintenance and Extensions Working Group
 continues the work of the earlier IPsec Working Group
 which was concluded in 2005. Its purpose is to maintain
 the IPsec standard and to facilitate discussion of
 clarifications, improvements, and extensions to IPsec,
 mostly to IKEv2. The working group also serves as a
 focus point for other IETF Working Groups who use IPsec
 in their own protocols.

 The current work items include:

 In an environment with many IPsec gateways and remote
 clients that share an established trust infrastructure
 (in a single administrative domain or across multiple
 domains), customers want to get on-demand point-to-point
 IPsec capability for efficiency. However, this cannot be
 feasibly accomplished only with today's IPsec and IKE due
 to problems with address lookup, reachability, policy
 configuration, and so on.

 The IPsecME Working Group will handle this large scale
 VPN problem by:

  * Creating a problem statement document including use
    cases, definitions and proper requirements for discovery
    and updates. This document would be solution-agnostic.

  * Publishing a common solution for the discovery and
    update problems that will satisfy the requirements
    in the problem statement document.  The working group
    may standardize one of the vendor solutions, a combination,
    an superset of such a solution, or a new protocol.

  * Reviewing and helping publish Informational documents
    describing current vendor proprietary solutions.

 Recently discovered incorrect behavior of ISPs poses a
 challenge to IKE, whose UDP messages (especially #3 and #4)
 sometimes get fragmented at the IP level and then dropped
 by these ISPs. There is interest in solving this issue by
 allowing transport of IKE over TCP; this is currently
 implemented by some vendors. The group will standardize such
 a solution, using draft-nir-ipsecme-ike-tcp as a starting point.

 The WG will review and possibly revise the list of mandatory-to-
 implement algorithms for ESP and AH based on five years of experience 
 with newer algorithms and cryptographic modes. This work will be based 
 on draft-mcgrew-ipsec-me-esp-ah-reqts.

 The WG will update the way IKEv2 uses public keys that are
 trusted out-of-band (that is, not through a common PKIX trust
 anchor). This work will be based on
 draft-kivinen-ipsecme-oob-pubkey.

 The WG will revise the IKEv2 specification with a small number
 of mandatory tests required for the secure operation of IKEv2
 when using elliptic curve cryptography. This work will be based
 on draft-sheffer-ipsecme-dh-checks.

 This charter will expire in November 2015 (24 months from approval).
 If the charter is not updated before that time, the WG will be
 closed and any remaining documents revert back to individual
 Internet-Drafts.



Milestones:
  Done     - WG last call on IPv6 configuration payloads
  Done     - WG last call on IPsec roadmap
  Done     - WG last call on session resumption
  Done     - WG last call on redirect
  Done     - WG last call on IKEv2bis
  Done     - WG last call on ESP NULL traffic visibility
  Done     - WG last call on HA requirements
  Done     - WG last call on quick crash discovery
  Done     - WG last call on EAP-only authentication
  Nov 2012 - IETF Last Call on large scale VPN use cases and requirements
  Feb 2013 - IETF Last Call on IKE over TCP
  Jun 2013 - IETF Last Call on large scale VPN protocol



WG Action Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: ipsecme WG <ipsec@ietf.org> 
Subject: WG Action: Rechartered IP Security Maintenance and Extensions (ipsecme)

The IP Security Maintenance and Extensions (ipsecme) working group in the
Security Area of the IETF has been rechartered. For additional
information please contact the Area Directors or the WG Chairs.

IP Security Maintenance and Extensions (ipsecme)
------------------------------------------------
Current Status: Active Working Group

Chairs:
  Paul Hoffman <paul.hoffman@vpnc.org>
  Yaron Sheffer <yaronf.ietf@gmail.com>

Assigned Area Director:
  Sean Turner <turners@ieca.com>

Mailing list
  Address: ipsec@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/ipsec
  Archive: http://www.ietf.org/mail-archive/web/ipsec/

Charter of Working Group:

 The IPsec suite of protocols includes IKEv1 (RFC 2409
 and associated RFCs), IKEv2 (RFC 5996), and the IPsec
 security architecture (RFC 4301). IPsec is widely
 deployed in VPN gateways, VPN remote access clients,
 and as a substrate for host-to-host, host-to-network,
 and network-to-network security.

 The IPsec Maintenance and Extensions Working Group
 continues the work of the earlier IPsec Working Group
 which was concluded in 2005. Its purpose is to maintain
 the IPsec standard and to facilitate discussion of
 clarifications, improvements, and extensions to IPsec,
 mostly to IKEv2. The working group also serves as a
 focus point for other IETF Working Groups who use IPsec
 in their own protocols.

 The current work items include:

 In an environment with many IPsec gateways and remote
 clients that share an established trust infrastructure
 (in a single administrative domain or across multiple
 domains), customers want to get on-demand point-to-point
 IPsec capability for efficiency. However, this cannot be
 feasibly accomplished only with today's IPsec and IKE due
 to problems with address lookup, reachability, policy
 configuration, and so on.

 The IPsecME Working Group will handle this large scale
 VPN problem by:

  * Creating a problem statement document including use
    cases, definitions and proper requirements for discovery
    and updates. This document would be solution-agnostic.

  * Publishing a common solution for the discovery and
    update problems that will satisfy the requirements
    in the problem statement document.  The working group
    may standardize one of the vendor solutions, a combination,
    an superset of such a solution, or a new protocol.

  * Reviewing and helping publish Informational documents
    describing current vendor proprietary solutions.

 Recently discovered incorrect behavior of ISPs poses a
 challenge to IKE, whose UDP messages (especially #3 and #4)
 sometimes get fragmented at the IP level and then dropped
 by these ISPs. There is interest in solving this issue by
 allowing transport of IKE over TCP; this is currently
 implemented by some vendors. The group will standardize such
 a solution, using draft-nir-ipsecme-ike-tcp as a starting point.

 The WG will review and possibly revise the list of mandatory-to-
 implement algorithms for ESP and AH based on five years of experience 
 with newer algorithms and cryptographic modes. This work will be based 
 on draft-mcgrew-ipsec-me-esp-ah-reqts.

 The WG will update the way IKEv2 uses public keys that are
 trusted out-of-band (that is, not through a common PKIX trust
 anchor). This work will be based on
 draft-kivinen-ipsecme-oob-pubkey.

 The WG will revise the IKEv2 specification with a small number
 of mandatory tests required for the secure operation of IKEv2
 when using elliptic curve cryptography. This work will be based
 on draft-sheffer-ipsecme-dh-checks.

 This charter will expire in January 2015 (24 months from approval).
 If the charter is not updated before that time, the WG will be
 closed and any remaining documents revert back to individual
 Internet-Drafts.



Milestones:
  Done     - WG last call on IPv6 configuration payloads
  Done     - WG last call on IPsec roadmap
  Done     - WG last call on session resumption
  Done     - WG last call on redirect
  Done     - WG last call on IKEv2bis
  Done     - WG last call on ESP NULL traffic visibility
  Done     - WG last call on HA requirements
  Done     - WG last call on quick crash discovery
  Done     - WG last call on EAP-only authentication
  Nov 2012 - IETF Last Call on large scale VPN use cases and requirements
  Feb 2013 - IETF Last Call on IKE over TCP
  Feb 2013 - IETF LC new MITM algorithms
  Apr 2013 - IETF LC out-of-band public key draft
  Jun 2013 - IETF Last Call on large scale VPN protocol



Ballot Announcement