The Internet network security protocol suite, IPsec, consisting of
IKE, ESP, and AH, generally requires authentication of network layer
entities to bootstrap security. This authentication can be based on
mechanisms such as pre-shared symmetric keys, certificates and
associated asymmetric keys, or the use of Kerberos. The need to
deploy authentication information and its associated identities to
network layer entities can be a significant obstacle to use of
network security. This document explains the rationale for extending
the Internet network security suite to enable use of IPsec security
mechanisms without authentication. These extensions are intended to
protect communication in a "better than nothing" (BTNS) fashion. The
extensions may be used on their own (Stand Alone BTNS, or SAB), or
may be useful in providing network layer security that can be
authenticated by higher layers in the protocol stack, called Channel
Bound BTNS (CBB). This document also explains situations in which use
of SAB and CBB extensions are appropriate.
Working Group Summary
This document is a product of the Better Than Nothing Security (BTNS)
This document was reviewed by Sam Hartman for the IESG.
The Document Shepherd for this document is Julien Laganier (BTNS
co-chair) and the Responsible Area Director is Tim Polk.