[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The remaining IKEv2 issues
I must have missed the resolution on issue 64, can someone remind me of
the resolution
and rationale?
Thanks,
Jeff
Theodore Ts'o wrote:
> Last week on August 12, Angelos posted a status of the remaining issues
> reamining open on the IKEv2 document at the end of wg last call, and
> thos that were closed as of the -09 document. The only comments made to
> Angelos' issues were some editorial nits raised by Abraham Shacham,
> which were recorded in the issue tracker as issue #66.
>
> Of the remaining issues left open per Angelos' message of August 12:
>
> 1: (Rekeyed SA use)
> 7: (Fragmentation negotiation (before/after IPsec processing)
> 10: (NAT Traversal support)
> 16: (Negotiate ToS in IKEv2)
> 41: (NAT traversal missing text)
> 55: (ICMP fields as selectors ?)
> 64: (Use the SPI of SA being rekeyed in a notify payload during rekey)
> 65: (EAP)
>
> Issues 1, 10, 41, 55, and 64 were actually addressed in the -09, but had
> not been marked as closed.
>
> Of the remaining three issues:
>
> 7: (Fragmentation negotiation (before/after IPsec processing)
> 16: (Negotiate ToS in IKEv2)
> 65: (EAP)
>
> There does not seem to be consensus for issue #7, and this is something
> which can be added later as an extension to IKE if and when there is
> consensus. Nor does it seem that the lack the ability to do red side
> fragmentation (and the ability to forbid black side fragmentation) to be
> a fundemental lack in the IKEv2 specification. (Indeed, it has been
> pointed out that the transmitter can not guarantee that other gateways
> might fragmented encrypted packets, and that this situation might change
> dynamically as routing changes.)
>
> Issue #16 is something which has yet to be discussed as part of the RFC
> 2401-bis discussion. As we discussed earlier, if we came to consensus
> before this document exited IETF last call, subject to AD approval, we
> could add the necessary text to support TOS selectors to the IKE
> specification. (The IKEv2 specification has a dependency on RFC
> 2401-bis, so it can't be published by the RFC editor until we finish RFC
> 2401-bis anyway.) Alternatively, if we do not come to consensus,
> support for TOS selectors can be added in a subsequent document easily
> enough.
>
> The final issue #65, concerns whether or not non key-generating EAP
> methods should be supported, in order to avoid a Man-in-the-middle
> attack (MITM) attack. However, as Charlie has pointed out, as used in
> IKEv2, the server is authenticated with a certificate before the
> authentication code is passed. In addition, given the requirement to
> support one-time password and Generic Token cards, we can not forbid the
> use of non-kg EAP schemes. Hence, given that the MITM attack which was
> the concern raised by issue #65 is not an issue for IKEv2, we believe
> that this is not something that should hold back the publication of
> IKEv2 as a Proposed Standard.
>
> Charlie has just put out the -10 version of the IKEv2 document, which
> addresses the editorial nits which were raised by Abraham Shacham and
> others after -09 was released. With these issues closed (or as closed
> as they are going to be), we believe that the -10 version is ready for
> IETF last call, once it the -10 version has been processed by the IETF
> secretariat.
>
> - Ted and Barbara
>
>
>