Hi Tero, Here is proposed charter text for the "Mitigating privacy concerns" section:
IKEv2 is currently vulnerable to the two following privacy concerns: 1) It's not possible to run a server that obfuscates IKEv2/IPsec using TLS. Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec server on TCP port 443 with TLS. However if a government agent tries to send an SA_INIT over that it will discover that this server runs IKEv2/IPsec, and may blacklist it. We should add a mechanism to IKEv2 that allows the server to only respond to SA_INIT from known entities (e.g. that possess a shared secret). 2) The privacy of the initiator's identity in the presence of a man in the middle attacker is not protected Today an attacker with full control of the network can receive the IDi/IDr sent by the initiator in the first AUTH packet. We should add a mechanism to IKEv2 that allows the initiator to only send IDi/IDr to known entities (e.g. that possess a shared secret). Thanks, David Schinazi > On Nov 16, 2017, at 22:35, mohamed.boucad...@orange.com wrote: > > Dear Tero, > > It seems that you missed this text for the address failure codes (Nov 13): > https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html > > I'm resending it fwiw: > > RFC7296 defines a generic notification code that is related to a > failure to handle an internal address failure. That code does not > explicitly allow an initiator to determine why a given address family > is not assigned, nor whether it should try using another address > family. The Working Group will specify a set of more specific > notification codes that will provide sufficient information to the > IKEv2 initiator about the encountered failure. > > Cheers, > Med > >> -----Message d'origine----- >> De : IPsec [mailto:ipsec-boun...@ietf.org] De la part de Tero Kivinen >> Envoyé : vendredi 17 novembre 2017 06:21 >> À : ipsec@ietf.org >> Objet : [IPsec] Candidate charter text is now in wiki >> >> I put the candidate charter text to the wiki. This includes the >> changes in the first two paragraphs, removes items already done, and >> list of new items. I have not yet added the items that came too late >> to have charter text bashed in the meeting to the wiki. >> >> For those items which do not have text yet, it would be good idea if >> those people could send new proposed text to the list so we could bash >> those at the same time as we go and check the other pieces. >> >> So read that candidate charter text and comment it on the list. >> >> Wiki address is https://trac.ietf.org/trac/ipsecme/wiki/recharter2017 >> -- >> kivi...@iki.fi >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec