TCP Encapsulation of IKE and IPsec Packets
draft-ietf-ipsecme-tcp-encaps-10

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, ipsecme-chairs@ietf.org, kivinen@iki.fi, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'TCP Encapsulation of IKE and IPsec Packets' to Proposed Standard (draft-ietf-ipsecme-tcp-encaps-10.txt)

The IESG has approved the following document:
- 'TCP Encapsulation of IKE and IPsec Packets'
  (draft-ietf-ipsecme-tcp-encaps-10.txt) as Proposed Standard

This document is the product of the IP Security Maintenance and Extensions
Working Group.

The IESG contact persons are Kathleen Moriarty and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/

Ballot Text

Technical Summary

This document describes a method to transport IKE and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP.  This method, referred to as TCP encapsulation, involves sending both IKE packets for Security Association establishment and ESP packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP.


Working Group Summary

The draft came to the working group out of a need to standardize a push towards adding TCP support for IKE that was coming from several sources (VPN vendors and cellular carriers using IKE for telephony services). Some of the major changes that the WG made early on compared to existing proposals from external bodies was to remove the reliance on encapsulating IKE traffic within TLS. Much of the other WG discussion later on in review revolved around how to best manage the connection establishment and teardown transitions.
  

Document Quality

There are several early implementations of the protocol that were made to test interoperability (notably, Cisco and Apple). The draft also received input from vendors that have previously deployed proprietary versions of IPsec over TCP.


Personnel

 The Document Shepherd is Tero Kivinen. The responsible ADs are Kathleen Moriarty (with Eric Rescorla taking custody for IESG revies).

RFC Editor Note