+1 Speaking as an implementer, we have done something similar for our IKEv1 clients, and would be happy to have something standards-based for IKEv2.
I would be happy to see this work become an RFC. Yoav > On 4 Mar 2016, at 7:05 PM, Tommy Pauly <[email protected]> wrote: > > I would also like to see the draft for TCP encapsulation added as an item, > since we’ve gotten a fair amount of support for it. For the purposes of the > charter, it may be good to have a broader explanation of the goal—something > to the effect that the working group should focus on making sure that IKEv2 > can be deployed more universally by taking into account limitations of > various networks. Previous RFCs like IKE fragmentation have contributed to > this; TCP encapsulation tries to solve another set of problematic networks; > and we can imagine that there may be more to investigate, such as taking into > account the limitations and requirements of IoT networks, etc. > > Tommy > >> On Mar 1, 2016, at 12:32 PM, Paul Wouters <[email protected]> wrote: >> >> S/mostly// >> >> Add IKE over tcp and DNS extensions for ikev2? >> >> Sent from my iPhone >> >>> On Mar 1, 2016, at 11:18, Paul Hoffman <[email protected]> wrote: >>> >>> Greetings. We need to update our charter to reflect our current and >>> expected work. Dave and I propose the following text. Please let us know >>> within the next week if you have suggestions for changes. >>> >>> --Paul Hoffman and Dave Waltermire >>> >>> >>> The IPsec suite of protocols includes IKEv1 (RFC 2409 and associated RFCs), >>> IKEv2 (RFC 7296), and the IPsec security architecture (RFC 4301). IPsec is >>> widely deployed in VPN gateways, VPN remote access clients, and as a >>> substrate for host-to-host, host-to-network, and network-to-network >>> security. >>> >>> The IPsec Maintenance and Extensions Working Group continues the work of >>> the earlier IPsec Working Group which was concluded in 2005. Its purpose is >>> to maintain the IPsec standard and to facilitate discussion of >>> clarifications, >>> improvements, and extensions to IPsec, mostly to IKEv2. >>> The working group also serves as a focus point for other IETF Working Groups >>> who use IPsec in their own protocols. >>> >>> The current work items include: >>> >>> IKEv2 contains the cookie mechanism to protect against denial of service >>> attacks. However this mechanism cannot protect an IKE end-point (typically, >>> a large gateway) from "distributed denial of service", a coordinated attack >>> by >>> a large number of "bots". The working group will analyze the problem and >>> propose a solution, by offering best practices and potentially by extending >>> the protocol. >>> >>> IKEv2 utilizes a number of cryptographic algorithms in order to provide >>> security services. To support interoperability a number of mandatory-to- >>> implement (MTI) algorithms are defined in RFC4307. There is interest in >>> updating the MTIs in >>> RFC4307 based on new algorithms, changes to the understood security >>> strength of existing algorithms, and the degree of adoption of previously >>> introduced algorithms. The group will revise RFC4307 proposing updates to >>> the MIT algorithms used by IKEv2 to address these changes. >>> >>> There is interest in supporting Curve25519 and Curve448 for ephemeral key >>> exchange in the IKEv2 protocol. The group will extend the >>> IKEv2 protocol to support key agreement using these curves and their >>> related functions. >>> >>> This charter will expire in August 2016. If the charter is not updated >>> before >>> that time, the WG will be closed and any remaining documents revert back to >>> individual Internet-Drafts. >>> >>> >>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
