[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKE V2 Open Issues

To: ipsec@lists.tislabs.com
Subject: IKE V2 Open Issues
From: "Theodore Ts'o" <tytso@mit.edu>
Date: Wed, 09 Apr 2003 17:14:46 -0400
Phone: (781) 391-3464
Sender: owner-ipsec@lists.tislabs.com


After the San Francisco IETF meeting, we left with a couple of issues
that were settled at the meeting, and which need to be confirmed on
the list.  Those issues are:

	1.  Revisiting the decision reached in Atlanta concerning
		suites vs. ala carte negotiation to use an ala carte
		style negotiation

	2.  Keeping the Me Tarzan, You Jane feature

	3.  Identity handling (although the conensus on this issue was
		somewhat rough.  Please see the expanded discussion in
		a follow on message.)

I will be sending out separate messages for each of these issues to
make it easier to manage the thread of discussion on these items.


Left open at San Francisco was the disposition of Configuration
Payload versus DHCP over IKE.  Tero has last week posted to the list
three documents which document DHCP over IKE.  We invite people to
read these documents and to comment on them.


Finally, there has also been a number of new (or re-opened) issues
that have bubbled up on the list since the San Francisco.  These are:

1) Hugo's proposal to change legacy authentication to protect the
initiator's identity against active attacks.  After looking at the
discussion, Barbara and I have concluded that the impacts of moving
around various protocol elements introduces numerous additional
complexities which will be hard to address at this late date.  Russ
with his AD hat on set as the bar, "if the changes are the least bit
onerous, then this should not be done".  We believe these changes meet
that test.

2) Tero's proposal for a new source-address-changed notification
payload.  We proposed in San Francisco that issues regarding address
management be considered out of scope, and deferred to another working
group.  Tero's proposal is short and self-contained, hopefully
non-controversial.  If so, it seems reasonable to the wg chairs that
it be included in ikev2.  If there are any questions or debate over
this item, however, we feel it should be defered to another working
group.

3) Uri's AES PRF proposal.  The cryptographers are arguing amongst
themselves; we don't want to get involved.  We suggest that the Crypto
group in the IRTF review it, and if they give us their blessing we can
standardize it in a separate standalone document.

4) Michael Richardson's proposal to define separate payload numbers
for IDi and IDr.  Seems simple enough, and not controversial; let's
just do it.

5) Lack of definition of the COOKIE_REQUIRED notify payload.
Charlie's suggestion to delete the COOKIE_REQUIRED payload and simply
to use the COOKIE payload is simple, and non-controversial.


After reviewing the open issues, we believe that we are really close to
finishing IKEv2.  We had originally targetted WG last call for April
15th.  That's only a week away, but if we can come to closure quickly on
the DHCP/IKE vs. CP issue, we belive we should be able to close the
other issues in time to meet that deadline.

						Ted and Barbara

Follow-Ups:
- Re: IKE V2 Open Issues
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>
- Re: IKE V2 Open Issues
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: IKE V2 Open Issues
  - From: Derek Atkins <derek@ihtfp.com>
- Re: IKE V2 Open Issues
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: IKE V2 Open Issues
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Confirm Suites v. a la carte decision.
Next by Date: Re: Question on SA Bundle
Prev by thread: Re: Confirm Suites v. a la carte decision.
Next by thread: Re: IKE V2 Open Issues
Index(es):
- Date
- Thread