ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BE

Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET

From: Frankel, Sheila E. <sheila.frankel_at_nospam>
Date: Tue Oct 27 2009 - 15:46:18 GMT
To: "ipsec@ietf.org" <ipsec@ietf.org>

#114: Expired drafts, especially BEET

Proposed changes to Roadmap doc:

  1. Sheila and Suresh do not advocate the addition of the BEET Internet Draft to this doc, so no change is required for that.
  2. Add text to the introductory section for IKEv1, Section 4.1.1:

Additional text:

IKE is the preferred key management protocol for IPsec. It is used for peer authentication; to negotiate, modify and delete SAs; and to negotiate authenticated keying material for use within those SAs. The standard peer authentication methods used by IKEv1 (pre-shared secret keys and digital certificates) had several shortcomings related to use of IKEv1 to enable remote user authentication to a corporate VPN: it could not leverage the use of legacy authentication systems (e.g. RADIUS databases) to authenticate a remote user to a security gateway; and it could not be used to configure remote users with network addresses or other information needed in order to access the internal network.

Two Internet Drafts were written to address these problems: Extended Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth) and The ISAKMP Configuration Method (draft-dukes-ike-mode-cfg). These drafts did not progress to RFC status due to security flaws and other problems related to these solutions. However, many current IKEv1 implementations incorporate aspects of these solutions to facilitate remote user access to corporate VPNs. Since these solutions were not standardized, there is no assurance that the implementations adhere fully to the suggested solutions, or that one implementation can interoperate with others that claim to incorporate the same features. Furthermore, these solutions have know security issues. Thus, use of these solutions is not recommended, and these Internet Drafts are not specified in this roadmap.

From: ipsecme issue tracker [trac@tools.ietf.org] Sent: Friday, October 16, 2009 8:29 PM
To: paul.hoffman@vpnc.org; Frankel, Sheila E. Subject: [ipsecme] #114: Expired drafts, especially BEET

#114: Expired drafts, especially BEET
-----------------------------------+---------------------------------------- Reporter: paul.hoffman@ | Owner: sheila.frankel@ Type: defect | Status: new Priority: normal | Milestone: Component: roadmap | Severity: - Keywords: | -----------------------------------+----------------------------------------  Sheila would like to see ESP BEET mode referenced, since it's more widely  implemented than other docs that are mentioned. However, it is not on  track to becoming an RFC.

 Also, there are some who want to mention other very widely implemented  (expired) drafts which will never come out as RFCs, namely IKEv1  configuration mode (draft-dukes-ike-mode-cfg-02) and IKEv1 xauth (draft-  -ike-xauth-02).

 RESPONSE: We will mention the expired drafts in the IKEv1 section of the  roadmap doc, explaining that many implementations implement these 2 drafts  to enable road warrior (user) authentication. The wording will include  cautions about their use: security issues, implementation/interoperability  problems, etc.

 Wording is needed. -- Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/114> ipsecme <http://tools.ietf.org/ipsecme/> _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec