Hi IPSECME, We've just published a new revision of draft-xu-risav (now draft-xu-ipsecme-risav). This version has essentially the same structure overall: AS-to-AS IPsec, using the RPKI for advertisements and authentication, with support for ESP and AH. However, many details have been changed in order to conform better to existing (and proposed) IPsec standards.
Some major changes: * The draft no longer requests a "RISAV-AH" IP protocol number. Instead, it "Updates" RFC 4302 to redefine some of the reserved bits in AH as a "Scope" field that allows unambiguous stacking of multiple AH headers for different purposes. * We have removed the custom logic related to sequence numbers and multi-sender/multi-receiver. Instead, we hope to rely on IKEv2 improvements that are being proposed independently of RISAV. * We added extensive discussion of compatibility with RFC 8200 (IPv6) and other standards, including a discussion of RISAV's MTU guarantees and how to achieve them. We welcome your feedback on this revised draft. --Ben Schwartz ---------- Forwarded message --------- A new version of I-D, draft-xu-ipsecme-risav-00.txt has been successfully submitted by Benjamin M. Schwartz and posted to the IETF repository. Name: draft-xu-ipsecme-risav Revision: 00 Title: An RPKI and IPsec-based AS-to-AS Approach for Source Address Validation Document date: 2023-03-07 Group: Individual Submission Pages: 26 URL: https://www.ietf.org/archive/id/draft-xu-ipsecme-risav-00.txt Status: https://datatracker.ietf.org/doc/draft-xu-ipsecme-risav/ Html: https://www.ietf.org/archive/id/draft-xu-ipsecme-risav-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-xu-ipsecme-risav Abstract: This document presents RISAV, a protocol for establishing and using IPsec security between Autonomous Systems (ASes) using the RPKI identity system. In this protocol, the originating AS adds authenticating information to each outgoing packet at its Border Routers (ASBRs), and the receiving AS verifies and strips this information at its ASBRs. Packets that fail validation are dropped by the ASBR. RISAV achieves Source Address Validation among all participating ASes. The IETF Secretariat
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
