Hello all,
Unfortunately I won't be able to attend today's session due to a conflict,
however I'd like to suggest the following privacy concerns for the charter:
1) Improving the privacy of servers that obfuscate IKEv2/IPsec using TLS.
Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec server on TCP
port 443 with TLS.
However if a government agent tries to send an SA_INIT over that it will
discover that this server runs IKEv2/IPsec, and may blacklist it.
2) Improving the privacy of the initiator's identity in the presence of a man
in the middle attacker.
Today an attacker with full control of the network can receive the IDi/IDr
sent by the initiator in the first AUTH packet.
I would like to add making IKEv2 resilient to these attack to the charter.
These attacks could be resolved using an HMAC extension to IKE_SA_INIT using a
pre-shared key, for example.
I had written up a proposed solution here:
https://www.ietf.org/mail-archive/web/ipsec/current/msg11575.html
<https://www.ietf.org/mail-archive/web/ipsec/current/msg11575.html>
Regardless of the solution, I think there is value in adding these items to the
charter.
Thanks,
David Schinazi
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
