ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] [ipsecme] #114: Expired drafts, especially BE

Re: [IPsec] [ipsecme] #114: Expired drafts, especially BEET

From: Yaron Sheffer <yaronf_at_nospam>
Date: Tue Oct 27 2009 - 16:13:48 GMT
To: "Frankel, Sheila E." <sheila.frankel@nist.gov>, "ipsec@ietf.org" <ipsec@ietf.org>

I'm OK with this text. Typo: know => known in the last sentence.


> -----Original Message-----
> From: Frankel, Sheila E. [mailto:sheila.frankel@nist.gov]
> Sent: Tuesday, October 27, 2009 17:46
> To: ipsec@ietf.org
> Cc: Paul Hoffman; Yaron Sheffer; suresh.krishnan@ericsson.com; Tero
> Kivinen
> Subject: RE: [ipsecme] #114: Expired drafts, especially BEET
> #114: Expired drafts, especially BEET
> Proposed changes to Roadmap doc:
> 1) Sheila and Suresh do not advocate the addition of the BEET Internet
> Draft to this doc, so no change is required for that.
> 2) Add text to the introductory section for IKEv1, Section 4.1.1:
> Additional text:
> IKE is the preferred key management protocol for IPsec. It is used for
> peer authentication; to negotiate, modify and delete SAs; and to
> negotiate authenticated keying material for use within those SAs. The
> standard peer authentication methods used by IKEv1 (pre-shared secret keys
> and digital certificates) had several shortcomings related to use of IKEv1
> to enable remote user authentication to a corporate VPN: it could not
> leverage the use of legacy authentication systems (e.g. RADIUS databases)
> to authenticate a remote user to a security gateway; and it could not be
> used to configure remote users with network addresses or other information
> needed in order to access the internal network.
> Two Internet Drafts were written to address these problems: Extended
> Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth) and The ISAKMP
> Configuration Method (draft-dukes-ike-mode-cfg). These drafts did not
> progress to RFC status due to security flaws and other problems related to
> these solutions. However, many current IKEv1 implementations incorporate
> aspects of these solutions to facilitate remote user access to corporate
> VPNs. Since these solutions were not standardized, there is no assurance
> that the implementations adhere fully to the suggested solutions, or that
> one implementation can interoperate with others that claim to incorporate
> the same features. Furthermore, these solutions have know security issues.
> Thus, use of these solutions is not recommended, and these Internet Drafts
> are not specified in this roadmap.
> ________________________________________
> From: ipsecme issue tracker [trac@tools.ietf.org]
> Sent: Friday, October 16, 2009 8:29 PM
> To: paul.hoffman@vpnc.org; Frankel, Sheila E.
> Subject: [ipsecme] #114: Expired drafts, especially BEET
> #114: Expired drafts, especially BEET
> -----------------------------------+--------------------------------------
> --
> Reporter: paul.hoffman@... | Owner: sheila.frankel@...
> Type: defect | Status: new
> Priority: normal | Milestone:
> Component: roadmap | Severity: -
> Keywords: |
> -----------------------------------+--------------------------------------
> --
> Sheila would like to see ESP BEET mode referenced, since it's more widely
> implemented than other docs that are mentioned. However, it is not on
> track to becoming an RFC.
> Also, there are some who want to mention other very widely implemented
> (expired) drafts which will never come out as RFCs, namely IKEv1
> configuration mode (draft-dukes-ike-mode-cfg-02) and IKEv1 xauth (draft-
> beaulieu-ike-xauth-02).
> RESPONSE: We will mention the expired drafts in the IKEv1 section of the
> roadmap doc, explaining that many implementations implement these 2
> drafts
> to enable road warrior (user) authentication. The wording will include
> cautions about their use: security issues,
> implementation/interoperability
> problems, etc.
> Wording is needed.
> --
> Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/114>
> ipsecme <http://tools.ietf.org/ipsecme/>
> Scanned by Check Point Total Security Gateway.

IPsec mailing list