Recently discovered incorrect behavior of ISPs poses a
challenge to IKE, whose UDP messages (especially #3 and #4)
sometimes get fragmented at the IP level and then dropped
by these ISPs. There is interest in solving this issue by
allowing transport of IKE over TCP; this is currently
implemented by some vendors. The group will standardize such
a solution.
The working group had already reached consensus not to support two
different fragmentation solutions and to only support
draft-smyslov-ipsecme-ikev2-fragmentation, after Yoav's IKE TCP
presentation, I believe in London? So I don't think this item belongs
on the agenda, unless we are looking at revising that earlier decision.
We have a fragmentation draft (almost) past IESG review. So we're not
revising any decision. "The group will standardize such a solution" is
still correct, until we actually publish the document.
Goals and Milestones:
Done - IETF Last Call on large scale VPN use cases and requirements
Done - IETF last call on IKE fragmentation solution
Done - IETF last call on new mandatory-to-implement algorithms
[No current milestones]
Could we add something about assisting Opportunistic Encryption, or
whatever term will be used? There is the auth_none draft, and there
will be an OE draft by the libreswan team soon. Those will end up in
ipsecme.
Quoting the new text, the group "will only take on new work items if a
strong community interest can be seen." Do we have other people
supporting such an addition to the charter?
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
